bug#48612: closed (Expat "billion laughs attack" vulnerability (CVE-2013

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#48612: closed (Expat "billion laughs attack" vulnerability (CVE-2013

From:	GNU bug Tracking System
Subject:	bug#48612: closed (Expat "billion laughs attack" vulnerability (CVE-2013-0340))
Date:	Thu, 03 Jun 2021 03:17:02 +0000

Your message dated Wed, 2 Jun 2021 23:16:29 -0400
with message-id <YLhJjeorZ1b9o4NK@jasmine.lan>
and subject line Re: bug#48612: Expat "billion laughs attack" vulnerability 
(CVE-2013-0340)
has caused the debbugs.gnu.org bug report #48612,
regarding Expat "billion laughs attack" vulnerability (CVE-2013-0340)
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
48612: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=48612
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Date: Sun, 23 May 2021 17:15:11 +0200

Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.

0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch
Description: Text Data

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message --- Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Date: Wed, 2 Jun 2021 23:16:29 -0400
On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2
signature.asc
Description: PGP signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#48612: closed (Expat "billion laughs attack" vulnerability (CVE-2013-0340)), GNU bug Tracking System <=

Prev by Date: bug#48769: closed ([PATCH] gnu: curl: Update to 7.77.0 [fixes CVE-2021-{22897, 22898, 22901}].)
Next by Date: bug#48304: closed ([PATCH] gnu: expat: Update via graft.)
Previous by thread: bug#48769: closed ([PATCH] gnu: curl: Update to 7.77.0 [fixes CVE-2021-{22897, 22898, 22901}].)
Next by thread: bug#48304: closed ([PATCH] gnu: expat: Update via graft.)
Index(es):
- Date
- Thread