From unknown Fri Jun 20 07:21:17 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Resent-From: Marius Bakke <marius@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 23 May 2021 15:16:01 +0000
Resent-Message-ID: <handler.48612.B.162178292613055@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 48612
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 48612@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.162178292613055
          (code B ref -1); Sun, 23 May 2021 15:16:01 +0000
Received: (at submit) by debbugs.gnu.org; 23 May 2021 15:15:26 +0000
Received: from localhost ([127.0.0.1]:41637 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lkpp2-0003OQ-Bp
	for submit@debbugs.gnu.org; Sun, 23 May 2021 11:15:25 -0400
Received: from lists.gnu.org ([209.51.188.17]:38368)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <marius@gnu.org>) id 1lkpp0-0003OG-QP
 for submit@debbugs.gnu.org; Sun, 23 May 2021 11:15:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33224)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1lkpoz-0001Vw-Gi
 for bug-guix@gnu.org; Sun, 23 May 2021 11:15:18 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:34136)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <marius@gnu.org>) id 1lkpoy-0007V4-8r
 for bug-guix@gnu.org; Sun, 23 May 2021 11:15:16 -0400
Received: from host-37-191-231-185.lynet.no ([37.191.231.185]:43994
 helo=localhost)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1lkpow-0005gx-Lu
 for bug-guix@gnu.org; Sun, 23 May 2021 11:15:16 -0400
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 17:15:11 +0200
Message-ID: <87bl91qy68.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch
Content-Transfer-Encoding: quoted-printable

From=202589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 14:22:16 +0200
Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].

* gnu/packages/xml.scm (expat-2.4.0): New variable.
(expat)[replacement]: New field.
=2D--
 gnu/packages/xml.scm | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ad2e3ec6c9..cbd33326e8 100644
=2D-- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright =C2=A9 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright =C2=A9 2016, 2017 Nikita <nikita@n0.is>
 ;;; Copyright =C2=A9 2016=E2=80=932021 Tobias Geerinckx-Rice <me@tobias.gr>
=2D;;; Copyright =C2=A9 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@f=
astmail.com>
+;;; Copyright =C2=A9 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <mari=
us@gnu.org>
 ;;; Copyright =C2=A9 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright =C2=A9 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright =C2=A9 2017 Alex Vong <alexvong1995@gmail.com>
@@ -121,6 +121,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.4.0)
     (source (let ((dot->underscore (lambda (c) (if (char=3D? #\. c) #\_ c)=
)))
               (origin
                 (method url-fetch)
@@ -144,6 +145,24 @@ stream-oriented parser in which an application registe=
rs handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
=20
+;; Replacement package to fix CVE-2013-0340.
+(define expat-2.4.0
+  (package
+    (inherit expat)
+    (version "2.4.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=3D? #\. c) #\_ c)=
)))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expa=
t/"
+                                          version "/expat-" version ".tar.=
xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases=
/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3"))=
)))))
+
 (define-public libebml
   (package
     (name "libebml")
=2D-=20
2.31.1


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKpxfw8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHdN7gEAqd57OAtYLb4Ax55KBrp/xcEsOgZpQP4FCCIR
QoIClgEA/AxHrXNrADEEFdw5vySvFRgyHcn1tr+CYZwZ+Ys76AsK
=jqio
-----END PGP SIGNATURE-----
--==-=-=--




From unknown Fri Jun 20 07:21:17 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Resent-From: Maxime Devos <maximedevos@telenet.be>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 23 May 2021 18:41:01 +0000
Resent-Message-ID: <handler.48612.B48612.16217952517480@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 48612
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Marius Bakke <marius@gnu.org>, 48612@debbugs.gnu.org
Received: via spool by 48612-submit@debbugs.gnu.org id=B48612.16217952517480
          (code B ref 48612); Sun, 23 May 2021 18:41:01 +0000
Received: (at 48612) by debbugs.gnu.org; 23 May 2021 18:40:51 +0000
Received: from localhost ([127.0.0.1]:41750 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lkt1v-0001wZ-1T
	for submit@debbugs.gnu.org; Sun, 23 May 2021 14:40:51 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:54408)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1lkt1q-0001wN-Pt
 for 48612@debbugs.gnu.org; Sun, 23 May 2021 14:40:50 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
 by baptiste.telenet-ops.be with bizsmtp
 id 8Jgk2500H0mfAB401JglJ1; Sun, 23 May 2021 20:40:45 +0200
Message-ID: <29e294edf8ccdb887acd74e5a65c77c2e974aa75.camel@telenet.be>
From: Maxime Devos <maximedevos@telenet.be>
Date: Sun, 23 May 2021 20:40:29 +0200
In-Reply-To: <87bl91qy68.fsf@gnu.org>
References: <87bl91qy68.fsf@gnu.org>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-5+5qxg4NogSf9gei5lqQ"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1621795245; bh=+jRThxMmU3cVuKewz1J8Q606pcg7nicxXkFheAd8tD8=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=dY9jRLhd4lQASVgbF5fN6BV+8tAhBJvD4j8ZN5HDabmAd8uMpDCzWE8MKL/F92VVL
 RYn5aMmnnao2TnJYHCnwZ36PR9PkZ7wXrCH1SHKhaCefq10RXh8OdiIYVMwwxqODNF
 9Z4j8ZdNivn4dMs4JTLBitekj7ygWN2Tw+UTBM/t5XwW3gKuOxDmiAiddA6AmfEa0S
 JdGNmZE/VQbfe0jrK8//Wb5HPHTyi61ZWbJQNcDBZMg3eBDgsJRgTHDRzBw9O2/ERM
 yMBMeoQRn9/QQ5XzV+eP4u7U0aVVx+iRiMPpjM5Fmm9ZOnel3zscVhpiIhmvFqHy0R
 O2KZYUuPV5iOA==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-5+5qxg4NogSf9gei5lqQ
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
> Greetings Guix,
>=20
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>=20
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
>=20
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?

Since this is =E2=80=98merely=E2=80=99 a DoS that does not lead to an explo=
it, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.

>=20
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.
>=20

I would like others opinion as well.

Greetings,
Maxime.

--=-5+5qxg4NogSf9gei5lqQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYKqhnhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7myqAP9iks2IyXSISiDpBAjglrzQ9oKr
1WSnkoTvmrVMsEjL0AD/YFSW7UmmLUTqmZPzXjl+PWOioGN+E5NglOn0OsTvLgE=
=iESM
-----END PGP SIGNATURE-----

--=-5+5qxg4NogSf9gei5lqQ--





From unknown Fri Jun 20 07:21:17 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 24 May 2021 17:07:02 +0000
Resent-Message-ID: <handler.48612.B48612.16218760202371@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 48612
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Marius Bakke <marius@gnu.org>
Cc: 48612@debbugs.gnu.org
Received: via spool by 48612-submit@debbugs.gnu.org id=B48612.16218760202371
          (code B ref 48612); Mon, 24 May 2021 17:07:02 +0000
Received: (at 48612) by debbugs.gnu.org; 24 May 2021 17:07:00 +0000
Received: from localhost ([127.0.0.1]:43815 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1llE2e-0000cB-11
	for submit@debbugs.gnu.org; Mon, 24 May 2021 13:07:00 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:56939)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1llE2Y-0000bq-UA
 for 48612@debbugs.gnu.org; Mon, 24 May 2021 13:06:58 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id D1B5E5C00E4;
 Mon, 24 May 2021 13:06:49 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Mon, 24 May 2021 13:06:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=UtjbGrwPIBvK6Wk+YYxG9UcP
 02iobf1aFkWrUpaR4gk=; b=wJM62jsx+A1xcMi0UDGue2kYjPcbJQDSplhNFYh2
 gcRYaSFeBg889dO7t/QIgGx7YWYHmPXIlVdWa0+NA0ixXbz1RqvkaiX05In2uDSs
 8mQABimGBnMj4a8kx3bvTj6OsIvL+Q8GfOjJy3KPVkpoz07YX8OgbFuuf8BavXtJ
 xpQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=UtjbGr
 wPIBvK6Wk+YYxG9UcP02iobf1aFkWrUpaR4gk=; b=KIqFCcKD4SpEUHWwTMbxHG
 9ImBoFGGTIG+exn0nkmTfDC1P2HoQgGZk+8CheGpxk0vJ4phY4JWVyjnNXjcTEiY
 SPsEH4ap47AYRFDKRejCUa+jnTNg4CH0fNRBfiTb/cVkpCATLQ5zotlzYt/km56w
 SpSfZBLzae5lkPNQWRFg6HYH6isE09s8QXocnqbV94IHyveeoCFxF2nhMlxVTRhg
 PDP1j8/gJf7+eOJgzi/ewqmrwroBv+NWgAAb8jnjFGEQg1QdsvY78KqzOjNwlWeA
 JDTo+PxzDb0baTCFyLPLoT/E4mkwfYIzM0oowYiwKeAqh83s+VcLyzjsxZVlHEfQ
 ==
X-ME-Sender: <xms:Kd2rYAibztoDopJJtpIbWmWbK4jjtPxtoKTYvtkUtK25mg_n2UFaIw>
 <xme:Kd2rYJBOl-wOtuWtH-kq6ANKGUdKBFUHaey-FzETtSXi8NnaT8VaBQGwC2g9knJYN
 440PEQykVf6c2Wy8g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejledgudduudcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhephfetjeetgefhhfeklefhfefftdffgfdvjeeffeeitedvhedthfdtlefhudek
 tdetnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpfihikhhiphgvughirgdrohhrgh
 enucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptden
 ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:Kd2rYIErIvFTvPSA5quKz7iZVeoVy-74aNZy1uvsnkSMuWrejP6f_Q>
 <xmx:Kd2rYBTYcZxiP7YCEwuA8R6DucRweNgV62eKN4d0m7udcyWb8OPM2g>
 <xmx:Kd2rYNy8Tquv9ArhUtj1nCV-1JjJZ0HyO6WrX-NgnRarydxmwRnB3g>
 <xmx:Kd2rYGvD4LNXWLzbhM25nvT_-WR1xhzAX_pHU70YxEtzTw0ZfA5iOg>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA;
 Mon, 24 May 2021 13:06:49 -0400 (EDT)
Date: Mon, 24 May 2021 13:06:47 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <YKvdJ75zNMh+8aHw@jasmine.lan>
References: <87bl91qy68.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="9yZvwUmPev/v46Qv"
Content-Disposition: inline
In-Reply-To: <87bl91qy68.fsf@gnu.org>
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--9yZvwUmPev/v46Qv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
>=20
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>=20
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
>=20
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
>=20
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.

--9yZvwUmPev/v46Qv
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCr3SMACgkQJkb6MLrK
fwghXhAA2KUMqEPFtcwAVtp9RJ2ejGS3MIF/52ADnAtvvyEXQK8S6W+se6Ob96Jx
MhMbGbb/J+qxlCkzNUCbXX2Pyw1Js89NdkjfpMLyFr3kHBDHoV307iCmvkKEedI7
2vU1PMB7sxpOec48Kn2tgGc1Yy1FMfr/4bT48DEGrE/xF5vMmgUlR91C+EAM0eYi
+JGLlOCY8qMTorEB5wDphamPwbk/ZN9OnEZo3L6hZP6cNpV8oRxVar1XFjUjVIQN
N/pNJ9i6nENrbwd60TmAFtWNBiSag/YRSg7wRry6uoAeuwmZhcis7jkKdYBdg3FU
SFKldHcHQ79DYdPK/ceZLfHlRdxEbbZdwK4dtJS/huWy10DX58sXMdtgzCwNz+Fj
a47e5qson0NtdR77pbu1/B90N9GBzX+hU3KWkNXfx+OFG0JkycvW17z3G55XDKdQ
6ozCHIoedX5tT+Pp9JnJrKwSwY1/VBab6xD9p0Vhx7wsySZzGu65FE3e1tM9e0l6
4zj2uudKKXOm6Fu/NNguryn8RW6hQEoTHisBn8lYaMMdB2G7O/k+bXspQysHsCz2
EZ1XN9CWFnugULj0fndavUGXqDHUgSgJYESAQ8zeCtm3Ic7eGk9Ieoy/9zZc7YvW
nvTbnmjF3hUB0ggZsjiUeovbAXO0Ti2ukzH3PgUSvdSi6bCrXvU=
=pbNl
-----END PGP SIGNATURE-----

--9yZvwUmPev/v46Qv--




From debbugs-submit-bounces@debbugs.gnu.org Thu May 27 09:12:46 2021
Received: (at control) by debbugs.gnu.org; 27 May 2021 13:12:46 +0000
Received: from localhost ([127.0.0.1]:50880 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lmFoc-00074Z-0N
	for submit@debbugs.gnu.org; Thu, 27 May 2021 09:12:46 -0400
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:56925)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1lmFoX-00074H-Sl
 for control@debbugs.gnu.org; Thu, 27 May 2021 09:12:45 -0400
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3A1XIckamKmkMmhR8RD0VCeet/OPHpDfP0imdD?=
 =?us-ascii?q?5ihNYBxZY6Wkvui0lvUayhP4zB4NMUtQ1Oxo9pPwBU80kqQFo7X5XI3SHzUP2g?=
 =?us-ascii?q?OTRr2KiLGO/9SOIVyHygcw79YkT0E6MqyNMbCV5fyKrDVRPb4bsZa6GYqT9K3j?=
 =?us-ascii?q?J04Ed3AlV0mLhz0JSzpza3cGBDVuIZYiDpKT6o5min6AcW4XB/7Lc0XtIdKz2u?=
 =?us-ascii?q?Ej5aiWHyLuXCRXoDVm5AnAgNWXfGn6r3VuNkIpsNFSiFQt0TaJmZlL1cvLgSM0?=
 =?us-ascii?q?vFWjlai+9uGRsedrNYipoe5QEAzFrkKQf4JrU7aDuTApsIiUmScXueiJhx8hOu?=
 =?us-ascii?q?tp7Xe5RBDDnTLdny3p0DMr43in8kOcjT/GodbiSChSMbs2uWrXGiGponYIjZVZ?=
 =?us-ascii?q?3LhQ12yU87p7STLJhiWV3am9azha0nGvuHInnKoqk3BCXc8/ZdZq3P8i1XIQK4?=
 =?us-ascii?q?0YFCb2rLosFvJjZfuslMp+QBegdWnQumQq/PyAN05DbCtuWnJthiWO6VlrdW5C?=
 =?us-ascii?q?r3fwG/Zv+ks9yA=3D=3D?=
X-IronPort-AV: E=Sophos;i="5.82,334,1613430000"; d="scan'208";a="510279486"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
 by mail2-relais-roc.national.inria.fr with
 ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 May 2021 15:12:36 +0200
Date: Thu, 27 May 2021 15:12:36 +0200
Message-Id: <87zgwgl3qz.fsf@gnu.org>
To: control@debbugs.gnu.org
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Subject: control message for bug #48612
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

tags 48612 + security
quit





From unknown Fri Jun 20 07:21:17 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Marius Bakke <marius@gnu.org>
Subject: bug#48612: closed (Re: bug#48612: Expat "billion laughs attack"
 vulnerability (CVE-2013-0340))
Message-ID: <handler.48612.D48612.16226901974035.notifdone@debbugs.gnu.org>
References: <YLhJjeorZ1b9o4NK@jasmine.lan> <87bl91qy68.fsf@gnu.org>
X-Gnu-PR-Message: they-closed 48612
X-Gnu-PR-Package: guix
X-Gnu-PR-Keywords: security
Reply-To: 48612@debbugs.gnu.org
Date: Thu, 03 Jun 2021 03:17:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1622690222-4081-1"

This is a multi-part message in MIME format...

------------=_1622690222-4081-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 48612@debbugs.gnu.org.

--=20
48612: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D48612
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1622690222-4081-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 48612-done) by debbugs.gnu.org; 3 Jun 2021 03:16:37 +0000
Received: from localhost ([127.0.0.1]:41720 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lodqX-000130-7X
	for submit@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:37 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:39691)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lodqW-00012p-0K
 for 48612-done@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:36 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id E8B0E5C010E;
 Wed,  2 Jun 2021 23:16:30 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute2.internal (MEProxy); Wed, 02 Jun 2021 23:16:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=1yDLU8o1ZoUtqo8XIZppsfXX
 KCLwiMqn+syvAzfaWfc=; b=QFTcnlB35BHxYJblVkRuGxwKWoxvxKno2NIuDfG5
 J2w3A2mBnSf3FLT46mm+/XGYsDIS0IFijYQ2pA9Oo8WsL75UdLrjxGbglSte1PIK
 0HZhJnXLwEU1QYNn3P+gDT4mPsFQHafZXZz992YatyUTwvfe5kEMsl1FAi4A8Os/
 B1Q=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=1yDLU8
 o1ZoUtqo8XIZppsfXXKCLwiMqn+syvAzfaWfc=; b=dn0X28FPZ/Wngf0Mn8rqHY
 fC9HWjFAb/U3exMuqPx4vwEXOx29R0UTSYXoRuOQYCU7Nr4g6/UpEATk3n6Gg8en
 AC9jKwFFDjlXSJRfzZ+/+aKk5ZZIVw6czkBv7fAsLYJwORrRTEFxspdQHTeOW+wQ
 y9aaftCRt661fBvIcMdgqapP+sIttyLKq5kkR1EH/AHmgPHgkBFC4BYNixKQKNIr
 sX/QKGtppuKARvd90fdkv9NOW0gibWMA8r6aHLg2ko3a60h+DdKk6Vvuk90xhgmr
 0oPVV3/gvuQTBeDZpfv/ZyT5U5F07tI2YbeUH2WAo26kKC+zr5DadYSeRAGw6R2A
 ==
X-ME-Sender: <xms:jkm4YC2gtE7sF56Pgfxw_NbBqDnoLsPWvaCuc_xojzOuSaSdEUOBUQ>
 <xme:jkm4YFG9QsJUqTp2-7c91Uvx9-gRA8P8JjR8dpDZbM6nbSKJftNUtVJzraGJKqYBG
 -mw85kG0rgNPs-HFA>
X-ME-Received: <xmr:jkm4YK65jWjJgUCErT_R67bmRiBcBsDOW_-mj_MgQcQM1s6rNIdsaoxb9Gx0o9nixBMCJZhrlSORMcFSInfYzKE6jg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelkedgieejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh
 rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth
 gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff
 teenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg
 hosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:jkm4YD3PdS4gx2vgteCtnKABI_-qTP6-ZwiKOuTCxPChwAODuJM3Bg>
 <xmx:jkm4YFHP2c7GOsAsgfA0-YiLNWlcT9XMioz7nit8ATtsajXM8gRcew>
 <xmx:jkm4YM-nkqBBZjggvQnn0d-EW8OvdLnVTNA4sw8gb4hKwco55H1Ieg>
 <xmx:jkm4YIMeC5EA3-oJFU-mlOR6H-L9S5LW0r8HWxMPKPUerwBc2xLFfg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 2 Jun 2021 23:16:30 -0400 (EDT)
Date: Wed, 2 Jun 2021 23:16:29 -0400
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <marius@gnu.org>
Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability
 (CVE-2013-0340)
Message-ID: <YLhJjeorZ1b9o4NK@jasmine.lan>
References: <87bl91qy68.fsf@gnu.org>
 <YKvdJ75zNMh+8aHw@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="c5XPOlW05k7pye8d"
Content-Disposition: inline
In-Reply-To: <YKvdJ75zNMh+8aHw@jasmine.lan>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 48612-done
Cc: 48612-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--c5XPOlW05k7pye8d
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2

--c5XPOlW05k7pye8d
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SYwACgkQJkb6MLrK
fwhQ+A//QDsBUWnEmBmfrsvWhg8sRH1c606Uz+AHfloFaRk82aSCauCrv4uFI1z8
81aOw2KAJhyv/wmC9VXsannnD5ZaFtjJtzEaWJ5x79sJIIe8/bLmqI4t0QR5re66
tCgK7FecF9HJ6+GeNJCHU4o/3PeN1BZ8ECqP9nZkXHe7kUQFMN1Eln3zK79BygwA
EJaVF1Yay6qMmW8U5jIQtnTA88x6iGZU4UHYOjbpUmWL1TpeRVrz36EPQc4rp0ub
vE+2PrNLqyYd0VdrLfKTGREle5iuFc8YOTh4QiRT1aqnQkxePqURrQMGbBmzDHNM
qKgeGvTb/OSiqciJ3lZVfVRIy4FjCgJRKRgIp2o6c65Y9IjWmmOpQmgBsrhPipRj
hWWn3Dz/82qIT+2sE8T3HVqsUrofOCktCG4DP/NWBG3N+c+xy2/KcpuU5QTPqq6j
ponMZ8PsP13AqYLIYk6mdqqY55u7UKafUNiHB69dDsr9ZFimKQsQ3DkUnxEE0qHi
qL1GHTFzTJNpH8iSjLesy8KTXSADzUXRy7bT9sySkwPSd5p4lW5msGcKtsBTmarG
vBrTFJ/tdLr6JSR0M0tCB/zk2hLiSvStf/Ei9oo670es90SRCPAQrdr/+C+jNq6G
HGJ4eDhBtr28qpnzDqohe90LakzM7g2p8XsrTDkEgba1DI0yFeg=
=MbDa
-----END PGP SIGNATURE-----

--c5XPOlW05k7pye8d--


------------=_1622690222-4081-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 23 May 2021 15:15:26 +0000
Received: from localhost ([127.0.0.1]:41637 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lkpp2-0003OQ-Bp
	for submit@debbugs.gnu.org; Sun, 23 May 2021 11:15:25 -0400
Received: from lists.gnu.org ([209.51.188.17]:38368)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <marius@gnu.org>) id 1lkpp0-0003OG-QP
 for submit@debbugs.gnu.org; Sun, 23 May 2021 11:15:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33224)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1lkpoz-0001Vw-Gi
 for bug-guix@gnu.org; Sun, 23 May 2021 11:15:18 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:34136)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <marius@gnu.org>) id 1lkpoy-0007V4-8r
 for bug-guix@gnu.org; Sun, 23 May 2021 11:15:16 -0400
Received: from host-37-191-231-185.lynet.no ([37.191.231.185]:43994
 helo=localhost)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1lkpow-0005gx-Lu
 for bug-guix@gnu.org; Sun, 23 May 2021 11:15:16 -0400
From: Marius Bakke <marius@gnu.org>
To: bug-guix@gnu.org
Subject: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Date: Sun, 23 May 2021 17:15:11 +0200
Message-ID: <87bl91qy68.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch
Content-Transfer-Encoding: quoted-printable

From=202589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 14:22:16 +0200
Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].

* gnu/packages/xml.scm (expat-2.4.0): New variable.
(expat)[replacement]: New field.
=2D--
 gnu/packages/xml.scm | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ad2e3ec6c9..cbd33326e8 100644
=2D-- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright =C2=A9 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright =C2=A9 2016, 2017 Nikita <nikita@n0.is>
 ;;; Copyright =C2=A9 2016=E2=80=932021 Tobias Geerinckx-Rice <me@tobias.gr>
=2D;;; Copyright =C2=A9 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@f=
astmail.com>
+;;; Copyright =C2=A9 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <mari=
us@gnu.org>
 ;;; Copyright =C2=A9 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright =C2=A9 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright =C2=A9 2017 Alex Vong <alexvong1995@gmail.com>
@@ -121,6 +121,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.4.0)
     (source (let ((dot->underscore (lambda (c) (if (char=3D? #\. c) #\_ c)=
)))
               (origin
                 (method url-fetch)
@@ -144,6 +145,24 @@ stream-oriented parser in which an application registe=
rs handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
=20
+;; Replacement package to fix CVE-2013-0340.
+(define expat-2.4.0
+  (package
+    (inherit expat)
+    (version "2.4.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=3D? #\. c) #\_ c)=
)))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expa=
t/"
+                                          version "/expat-" version ".tar.=
xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases=
/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3"))=
)))))
+
 (define-public libebml
   (package
     (name "libebml")
=2D-=20
2.31.1


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKpxfw8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHdN7gEAqd57OAtYLb4Ax55KBrp/xcEsOgZpQP4FCCIR
QoIClgEA/AxHrXNrADEEFdw5vySvFRgyHcn1tr+CYZwZ+Ys76AsK
=jqio
-----END PGP SIGNATURE-----
--==-=-=--



------------=_1622690222-4081-1--