GNU bug report logs - #48612
Expat "billion laughs attack" vulnerability (CVE-2013-0340)

Previous Next

Package: guix;

Reported by: Marius Bakke <marius <at> gnu.org>

Date: Sun, 23 May 2021 15:16:01 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Marius Bakke <marius <at> gnu.org>
To: 48612 <at> debbugs.gnu.org
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Date: Sun, 23 May 2021 17:15:11 +0200

[Message part 1 (text/plain, inline)]

Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.

[0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 3 years and 353 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #48612 Expat "billion laughs attack" vulnerability (CVE-2013-0340)

GNU bug report logs - #48612
Expat "billion laughs attack" vulnerability (CVE-2013-0340)