Report forwarded
to bug-guix@gnu.org: bug#48612; Package guix.
(Sun, 23 May 2021 15:16:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Marius Bakke <marius@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Sun, 23 May 2021 15:16:01 GMT) (full text, mbox, link).
Greetings Guix,
What's old is new again! Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":
https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changeshttps://en.wikipedia.org/wiki/Billion_laughs_attack
Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?
In any case I've attached a patch that does just that and I'm currently
using it on my system. I'm hesitant to push it because of the grafting
cost and would like others opinion.
Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
> Greetings Guix,
>
> What's old is new again! Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>
> https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
> https://en.wikipedia.org/wiki/Billion_laughs_attack
>
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.
>
> In any case I've attached a patch that does just that and I'm currently
> using it on my system. I'm hesitant to push it because of the grafting
> cost and would like others opinion.
>
I would like others opinion as well.
Greetings,
Maxime.
On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
>
> What's old is new again! Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>
> https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
> https://en.wikipedia.org/wiki/Billion_laughs_attack
>
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
>
> In any case I've attached a patch that does just that and I'm currently
> using it on my system. I'm hesitant to push it because of the grafting
> cost and would like others opinion.
I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.
On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.
I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.