GNU bug report logs -
#48612
Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Previous Next
Reported by: Marius Bakke <marius <at> gnu.org>
Date: Sun, 23 May 2021 15:16:01 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
Message #8 received at 48612 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
> Greetings Guix,
>
> What's old is new again! Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>
> https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
> https://en.wikipedia.org/wiki/Billion_laughs_attack
>
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.
>
> In any case I've attached a patch that does just that and I'm currently
> using it on my system. I'm hesitant to push it because of the grafting
> cost and would like others opinion.
>
I would like others opinion as well.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 353 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.