--- Begin Message ---
Subject: |
Expat "billion laughs attack" vulnerability (CVE-2013-0340) |
Date: |
Sun, 23 May 2021 17:15:11 +0200 |
Greetings Guix,
What's old is new again! Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":
https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
https://en.wikipedia.org/wiki/Billion_laughs_attack
Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?
In any case I've attached a patch that does just that and I'm currently
using it on my system. I'm hesitant to push it because of the grafting
cost and would like others opinion.
0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch
Description: Text Data
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) |
Date: |
Wed, 2 Jun 2021 23:16:29 -0400 |
On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.
I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2
signature.asc
Description: PGP signature
--- End Message ---