GNU bug report logs - #48612
Expat "billion laughs attack" vulnerability (CVE-2013-0340)

Previous Next

Package: guix;

Reported by: Marius Bakke <marius <at> gnu.org>

Date: Sun, 23 May 2021 15:16:01 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48612 in the body.
You can then email your comments to 48612 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#48612; Package guix. (Sun, 23 May 2021 15:16:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marius Bakke <marius <at> gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 23 May 2021 15:16:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Date: Sun, 23 May 2021 17:15:11 +0200
[Message part 1 (text/plain, inline)]
Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.

[0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#48612; Package guix. (Sun, 23 May 2021 18:41:01 GMT) Full text and rfc822 format available.

Message #8 received at 48612 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Marius Bakke <marius <at> gnu.org>, 48612 <at> debbugs.gnu.org
Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability
 (CVE-2013-0340)
Date: Sun, 23 May 2021 20:40:29 +0200
[Message part 1 (text/plain, inline)]
Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?

Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.

> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.
> 

I would like others opinion as well.

Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#48612; Package guix. (Mon, 24 May 2021 17:07:02 GMT) Full text and rfc822 format available.

Message #11 received at 48612 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <marius <at> gnu.org>
Cc: 48612 <at> debbugs.gnu.org
Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability
 (CVE-2013-0340)
Date: Mon, 24 May 2021 13:06:47 -0400
[Message part 1 (text/plain, inline)]
On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Thu, 27 May 2021 13:13:02 GMT) Full text and rfc822 format available.

Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Thu, 03 Jun 2021 03:17:02 GMT) Full text and rfc822 format available.

Notification sent to Marius Bakke <marius <at> gnu.org>:
bug acknowledged by developer. (Thu, 03 Jun 2021 03:17:02 GMT) Full text and rfc822 format available.

Message #18 received at 48612-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <marius <at> gnu.org>
Cc: 48612-done <at> debbugs.gnu.org
Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability
 (CVE-2013-0340)
Date: Wed, 2 Jun 2021 23:16:29 -0400
[Message part 1 (text/plain, inline)]
On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 01 Jul 2021 11:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 271 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.