From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id EBEzBrDgq2ADRgAAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 24 May 2021 19:21:52 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 4HznAbDgq2BmKgAAB5/wlQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 24 May 2021 17:21:52 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 794A7219F0
	for <larch@yhetil.org>; Mon, 24 May 2021 19:21:51 +0200 (CEST)
Received: from localhost ([::1]:38648 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1llEH0-0003zI-Gf
	for larch@yhetil.org; Mon, 24 May 2021 13:21:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50386)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1llE2g-0004zX-Hz
 for bug-guix@gnu.org; Mon, 24 May 2021 13:07:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:60502)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1llE2g-0004mx-8y
 for bug-guix@gnu.org; Mon, 24 May 2021 13:07:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1llE2g-0000cR-1n
 for bug-guix@gnu.org; Mon, 24 May 2021 13:07:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 24 May 2021 17:07:02 +0000
Resent-Message-ID: <handler.48612.B48612.16218760202371@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 48612
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Marius Bakke <marius@gnu.org>
Received: via spool by 48612-submit@debbugs.gnu.org id=B48612.16218760202371
 (code B ref 48612); Mon, 24 May 2021 17:07:02 +0000
Received: (at 48612) by debbugs.gnu.org; 24 May 2021 17:07:00 +0000
Received: from localhost ([127.0.0.1]:43815 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1llE2e-0000cB-11
 for submit@debbugs.gnu.org; Mon, 24 May 2021 13:07:00 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:56939)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1llE2Y-0000bq-UA
 for 48612@debbugs.gnu.org; Mon, 24 May 2021 13:06:58 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id D1B5E5C00E4;
 Mon, 24 May 2021 13:06:49 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 24 May 2021 13:06:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=UtjbGrwPIBvK6Wk+YYxG9UcP
 02iobf1aFkWrUpaR4gk=; b=wJM62jsx+A1xcMi0UDGue2kYjPcbJQDSplhNFYh2
 gcRYaSFeBg889dO7t/QIgGx7YWYHmPXIlVdWa0+NA0ixXbz1RqvkaiX05In2uDSs
 8mQABimGBnMj4a8kx3bvTj6OsIvL+Q8GfOjJy3KPVkpoz07YX8OgbFuuf8BavXtJ
 xpQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=UtjbGr
 wPIBvK6Wk+YYxG9UcP02iobf1aFkWrUpaR4gk=; b=KIqFCcKD4SpEUHWwTMbxHG
 9ImBoFGGTIG+exn0nkmTfDC1P2HoQgGZk+8CheGpxk0vJ4phY4JWVyjnNXjcTEiY
 SPsEH4ap47AYRFDKRejCUa+jnTNg4CH0fNRBfiTb/cVkpCATLQ5zotlzYt/km56w
 SpSfZBLzae5lkPNQWRFg6HYH6isE09s8QXocnqbV94IHyveeoCFxF2nhMlxVTRhg
 PDP1j8/gJf7+eOJgzi/ewqmrwroBv+NWgAAb8jnjFGEQg1QdsvY78KqzOjNwlWeA
 JDTo+PxzDb0baTCFyLPLoT/E4mkwfYIzM0oowYiwKeAqh83s+VcLyzjsxZVlHEfQ
 ==
X-ME-Sender: <xms:Kd2rYAibztoDopJJtpIbWmWbK4jjtPxtoKTYvtkUtK25mg_n2UFaIw>
 <xme:Kd2rYJBOl-wOtuWtH-kq6ANKGUdKBFUHaey-FzETtSXi8NnaT8VaBQGwC2g9knJYN
 440PEQykVf6c2Wy8g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejledgudduudcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhephfetjeetgefhhfeklefhfefftdffgfdvjeeffeeitedvhedthfdtlefhudek
 tdetnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpfihikhhiphgvughirgdrohhrgh
 enucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptden
 ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:Kd2rYIErIvFTvPSA5quKz7iZVeoVy-74aNZy1uvsnkSMuWrejP6f_Q>
 <xmx:Kd2rYBTYcZxiP7YCEwuA8R6DucRweNgV62eKN4d0m7udcyWb8OPM2g>
 <xmx:Kd2rYNy8Tquv9ArhUtj1nCV-1JjJZ0HyO6WrX-NgnRarydxmwRnB3g>
 <xmx:Kd2rYGvD4LNXWLzbhM25nvT_-WR1xhzAX_pHU70YxEtzTw0ZfA5iOg>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA;
 Mon, 24 May 2021 13:06:49 -0400 (EDT)
Date: Mon, 24 May 2021 13:06:47 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <YKvdJ75zNMh+8aHw@jasmine.lan>
References: <87bl91qy68.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="9yZvwUmPev/v46Qv"
Content-Disposition: inline
In-Reply-To: <87bl91qy68.fsf@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Cc: 48612@debbugs.gnu.org
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1621876911;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=UtjbGrwPIBvK6Wk+YYxG9UcP02iobf1aFkWrUpaR4gk=;
	b=DqI2oQPbb7ynRNVVXV4kclMZlSWUI9uXIl+WYpqgVfZQEIiVh2sgWIibNw9rXaS0q56wDP
	hwblWTz5OM13vZhrI+uObVnR06Mq5Lo1BZm/BS4OAupnC++2clT4JfhIDxN3r8fkI2JXsv
	5kUMayb6R91p8DiKorzsn2LmIKarEcvjl8Eb/ellBumSHPggvr35ICr8xUskcMPRYLN/aQ
	t5EULKT3nZcTaViPZpR2ziI+04VwgOm02CHmUXP/glQyz1T7R2Mtp8eckqmXrOERmMgw/V
	RRFMXA7cOMpRzJUVr6vfW4zk4blFjr68aampSJNSlEQHWlx1h+tHuzJATUgrfA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621876911; a=rsa-sha256; cv=none;
	b=Cpe4CKXFKSAlIN5ZYqJowEvfjedVzEq7TMpN66FC4nJeYHeZa6c6X5eqBp3q4KKhdgQrK0
	5PO8YX9hckXfUmz7aIZaB8dzFyI7EYVFbCNFcrMErYKLngHSCcvaNcda0aykKHEjLaxnD3
	mHHu2EBn9+6+Qi2aS5Sg7x5LnB6D9wUDzlGY4uaw0C/W/z/2V41JnY1yzgd3XuCfE94tKh
	OQElaIczqwDbbc5K7ZpGZP3hbimMYtOWiUsULVpxNNs1Yfpt814sWEa4k9q6aZPwZC8mTy
	NbAb/ldmKSKfoUGrAF1Y3GHZehftqmEVI1yoJk8AnQPvIoQfc/LZFsyPGE2/Gw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=wJM62jsx;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=KIqFCcKD;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -3.53
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=wJM62jsx;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=KIqFCcKD;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 794A7219F0
X-Spam-Score: -3.53
X-Migadu-Scanner: scn1.migadu.com
X-TUID: X3/AhxefGXm3


--9yZvwUmPev/v46Qv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
>=20
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>=20
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
>=20
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
>=20
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.

--9yZvwUmPev/v46Qv
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCr3SMACgkQJkb6MLrK
fwghXhAA2KUMqEPFtcwAVtp9RJ2ejGS3MIF/52ADnAtvvyEXQK8S6W+se6Ob96Jx
MhMbGbb/J+qxlCkzNUCbXX2Pyw1Js89NdkjfpMLyFr3kHBDHoV307iCmvkKEedI7
2vU1PMB7sxpOec48Kn2tgGc1Yy1FMfr/4bT48DEGrE/xF5vMmgUlR91C+EAM0eYi
+JGLlOCY8qMTorEB5wDphamPwbk/ZN9OnEZo3L6hZP6cNpV8oRxVar1XFjUjVIQN
N/pNJ9i6nENrbwd60TmAFtWNBiSag/YRSg7wRry6uoAeuwmZhcis7jkKdYBdg3FU
SFKldHcHQ79DYdPK/ceZLfHlRdxEbbZdwK4dtJS/huWy10DX58sXMdtgzCwNz+Fj
a47e5qson0NtdR77pbu1/B90N9GBzX+hU3KWkNXfx+OFG0JkycvW17z3G55XDKdQ
6ozCHIoedX5tT+Pp9JnJrKwSwY1/VBab6xD9p0Vhx7wsySZzGu65FE3e1tM9e0l6
4zj2uudKKXOm6Fu/NNguryn8RW6hQEoTHisBn8lYaMMdB2G7O/k+bXspQysHsCz2
EZ1XN9CWFnugULj0fndavUGXqDHUgSgJYESAQ8zeCtm3Ic7eGk9Ieoy/9zZc7YvW
nvTbnmjF3hUB0ggZsjiUeovbAXO0Ti2ukzH3PgUSvdSi6bCrXvU=
=pbNl
-----END PGP SIGNATURE-----

--9yZvwUmPev/v46Qv--