GNU bug report logs

#48612 Expat "billion laughs attack" vulnerability (CVE-2013-0340)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #11 received at 48612@debbugs.gnu.org (full text, mbox, reply):

Received: (at 48612) by debbugs.gnu.org; 24 May 2021 17:07:00 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon May 24 13:07:00 2021
Received: from localhost ([127.0.0.1]:43815 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1llE2e-0000cB-11
	for submit@debbugs.gnu.org; Mon, 24 May 2021 13:07:00 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:56939)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1llE2Y-0000bq-UA
 for 48612@debbugs.gnu.org; Mon, 24 May 2021 13:06:58 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id D1B5E5C00E4;
 Mon, 24 May 2021 13:06:49 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 24 May 2021 13:06:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=UtjbGrwPIBvK6Wk+YYxG9UcP
 02iobf1aFkWrUpaR4gk=; b=wJM62jsx+A1xcMi0UDGue2kYjPcbJQDSplhNFYh2
 gcRYaSFeBg889dO7t/QIgGx7YWYHmPXIlVdWa0+NA0ixXbz1RqvkaiX05In2uDSs
 8mQABimGBnMj4a8kx3bvTj6OsIvL+Q8GfOjJy3KPVkpoz07YX8OgbFuuf8BavXtJ
 xpQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=UtjbGr
 wPIBvK6Wk+YYxG9UcP02iobf1aFkWrUpaR4gk=; b=KIqFCcKD4SpEUHWwTMbxHG
 9ImBoFGGTIG+exn0nkmTfDC1P2HoQgGZk+8CheGpxk0vJ4phY4JWVyjnNXjcTEiY
 SPsEH4ap47AYRFDKRejCUa+jnTNg4CH0fNRBfiTb/cVkpCATLQ5zotlzYt/km56w
 SpSfZBLzae5lkPNQWRFg6HYH6isE09s8QXocnqbV94IHyveeoCFxF2nhMlxVTRhg
 PDP1j8/gJf7+eOJgzi/ewqmrwroBv+NWgAAb8jnjFGEQg1QdsvY78KqzOjNwlWeA
 JDTo+PxzDb0baTCFyLPLoT/E4mkwfYIzM0oowYiwKeAqh83s+VcLyzjsxZVlHEfQ
 ==
X-ME-Sender: <xms:Kd2rYAibztoDopJJtpIbWmWbK4jjtPxtoKTYvtkUtK25mg_n2UFaIw>
 <xme:Kd2rYJBOl-wOtuWtH-kq6ANKGUdKBFUHaey-FzETtSXi8NnaT8VaBQGwC2g9knJYN
 440PEQykVf6c2Wy8g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejledgudduudcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhephfetjeetgefhhfeklefhfefftdffgfdvjeeffeeitedvhedthfdtlefhudek
 tdetnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpfihikhhiphgvughirgdrohhrgh
 enucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptden
 ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:Kd2rYIErIvFTvPSA5quKz7iZVeoVy-74aNZy1uvsnkSMuWrejP6f_Q>
 <xmx:Kd2rYBTYcZxiP7YCEwuA8R6DucRweNgV62eKN4d0m7udcyWb8OPM2g>
 <xmx:Kd2rYNy8Tquv9ArhUtj1nCV-1JjJZ0HyO6WrX-NgnRarydxmwRnB3g>
 <xmx:Kd2rYGvD4LNXWLzbhM25nvT_-WR1xhzAX_pHU70YxEtzTw0ZfA5iOg>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA;
 Mon, 24 May 2021 13:06:49 -0400 (EDT)
Date: Mon, 24 May 2021 13:06:47 -0400
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <marius@gnu.org>
Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability
 (CVE-2013-0340)
Message-ID: <YKvdJ75zNMh+8aHw@jasmine.lan>
References: <87bl91qy68.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="9yZvwUmPev/v46Qv"
Content-Disposition: inline
In-Reply-To: <87bl91qy68.fsf@gnu.org>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 48612
Cc: 48612@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 18:11:53 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.