Expat "billion laughs attack" vulnerability (CVE-2013-0340)

DoneSubmitted by Marius Bakke.
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Maxime Devos
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 23 May 2021 17:15
(address . bug-guix@gnu.org)
87bl91qy68.fsf@gnu.org
Greetings Guix,

What's old is new again! Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":


Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system. I'm hesitant to push it because of the grafting
cost and would like others opinion.
From 2589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 14:22:16 +0200
Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].

* gnu/packages/xml.scm (expat-2.4.0): New variable.
(expat)[replacement]: New field.
---
gnu/packages/xml.scm | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)

Toggle diff (48 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ad2e3ec6c9..cbd33326e8 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016, 2017 Nikita <nikita@n0.is>
 ;;; Copyright © 2016–2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -121,6 +121,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.4.0)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -144,6 +145,24 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+;; Replacement package to fix CVE-2013-0340.
+(define expat-2.4.0
+  (package
+    (inherit expat)
+    (version "2.4.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.31.1
-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKpxfw8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHdN7gEAqd57OAtYLb4Ax55KBrp/xcEsOgZpQP4FCCIR
QoIClgEA/AxHrXNrADEEFdw5vySvFRgyHcn1tr+CYZwZ+Ys76AsK
=jqio
-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 23 May 2021 20:40
29e294edf8ccdb887acd74e5a65c77c2e974aa75.camel@telenet.be
Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
Toggle quote (12 lines)
> Greetings Guix,
>
> What's old is new again! Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>
> https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
> https://en.wikipedia.org/wiki/Billion_laughs_attack
>
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?

Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.

Toggle quote (6 lines)
>
> In any case I've attached a patch that does just that and I'm currently
> using it on my system. I'm hesitant to push it because of the grafting
> cost and would like others opinion.
>

I would like others opinion as well.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYKqhnhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7myqAP9iks2IyXSISiDpBAjglrzQ9oKr
1WSnkoTvmrVMsEjL0AD/YFSW7UmmLUTqmZPzXjl+PWOioGN+E5NglOn0OsTvLgE=
=iESM
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 24 May 2021 19:06
(name . Marius Bakke)(address . marius@gnu.org)(address . 48612@debbugs.gnu.org)
YKvdJ75zNMh+8aHw@jasmine.lan
On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
Toggle quote (16 lines)
> Greetings Guix,
>
> What's old is new again! Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>
> https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
> https://en.wikipedia.org/wiki/Billion_laughs_attack
>
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
>
> In any case I've attached a patch that does just that and I'm currently
> using it on my system. I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCr3SMACgkQJkb6MLrK
fwghXhAA2KUMqEPFtcwAVtp9RJ2ejGS3MIF/52ADnAtvvyEXQK8S6W+se6Ob96Jx
MhMbGbb/J+qxlCkzNUCbXX2Pyw1Js89NdkjfpMLyFr3kHBDHoV307iCmvkKEedI7
2vU1PMB7sxpOec48Kn2tgGc1Yy1FMfr/4bT48DEGrE/xF5vMmgUlR91C+EAM0eYi
+JGLlOCY8qMTorEB5wDphamPwbk/ZN9OnEZo3L6hZP6cNpV8oRxVar1XFjUjVIQN
N/pNJ9i6nENrbwd60TmAFtWNBiSag/YRSg7wRry6uoAeuwmZhcis7jkKdYBdg3FU
SFKldHcHQ79DYdPK/ceZLfHlRdxEbbZdwK4dtJS/huWy10DX58sXMdtgzCwNz+Fj
a47e5qson0NtdR77pbu1/B90N9GBzX+hU3KWkNXfx+OFG0JkycvW17z3G55XDKdQ
6ozCHIoedX5tT+Pp9JnJrKwSwY1/VBab6xD9p0Vhx7wsySZzGu65FE3e1tM9e0l6
4zj2uudKKXOm6Fu/NNguryn8RW6hQEoTHisBn8lYaMMdB2G7O/k+bXspQysHsCz2
EZ1XN9CWFnugULj0fndavUGXqDHUgSgJYESAQ8zeCtm3Ic7eGk9Ieoy/9zZc7YvW
nvTbnmjF3hUB0ggZsjiUeovbAXO0Ti2ukzH3PgUSvdSi6bCrXvU=
=pbNl
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 27 May 2021 15:12
control message for bug #48612
(address . control@debbugs.gnu.org)
87zgwgl3qz.fsf@gnu.org
tags 48612 + security
quit
L
L
Leo Famulari wrote on 3 Jun 2021 05:16
Re: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
(name . Marius Bakke)(address . marius@gnu.org)(address . 48612-done@debbugs.gnu.org)
YLhJjeorZ1b9o4NK@jasmine.lan
On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SYwACgkQJkb6MLrK
fwhQ+A//QDsBUWnEmBmfrsvWhg8sRH1c606Uz+AHfloFaRk82aSCauCrv4uFI1z8
81aOw2KAJhyv/wmC9VXsannnD5ZaFtjJtzEaWJ5x79sJIIe8/bLmqI4t0QR5re66
tCgK7FecF9HJ6+GeNJCHU4o/3PeN1BZ8ECqP9nZkXHe7kUQFMN1Eln3zK79BygwA
EJaVF1Yay6qMmW8U5jIQtnTA88x6iGZU4UHYOjbpUmWL1TpeRVrz36EPQc4rp0ub
vE+2PrNLqyYd0VdrLfKTGREle5iuFc8YOTh4QiRT1aqnQkxePqURrQMGbBmzDHNM
qKgeGvTb/OSiqciJ3lZVfVRIy4FjCgJRKRgIp2o6c65Y9IjWmmOpQmgBsrhPipRj
hWWn3Dz/82qIT+2sE8T3HVqsUrofOCktCG4DP/NWBG3N+c+xy2/KcpuU5QTPqq6j
ponMZ8PsP13AqYLIYk6mdqqY55u7UKafUNiHB69dDsr9ZFimKQsQ3DkUnxEE0qHi
qL1GHTFzTJNpH8iSjLesy8KTXSADzUXRy7bT9sySkwPSd5p4lW5msGcKtsBTmarG
vBrTFJ/tdLr6JSR0M0tCB/zk2hLiSvStf/Ei9oo670es90SRCPAQrdr/+C+jNq6G
HGJ4eDhBtr28qpnzDqohe90LakzM7g2p8XsrTDkEgba1DI0yFeg=
=MbDa
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 48612@debbugs.gnu.org