Expat "billion laughs attack" vulnerability (CVE-2013-0340)

Done

Details

4 participants

Leo Famulari
Ludovic Courtès
Marius Bakke
Maxime Devos

Owner: unassigned

Submitted by: Marius Bakke

Severity: normal

Marius Bakke wrote on 23 May 2021 17:15

Recipients:(address . bug-guix@gnu.org)

Message-ID:87bl91qy68.fsf@gnu.org

Greetings Guix,

What's old is new again! Expat 2.4.0 was recently released with a

fix for a denial of service issue dubbed "billion laughs attack":

https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes

https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is

"merely" a DoS: is it worth fixing on the 'master' branch (and

re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently

using it on my system. I'm hesitant to push it because of the grafting

cost and would like others opinion.

From 2589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 14:22:16 +0200
Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].

* gnu/packages/xml.scm (expat-2.4.0): New variable.
(expat)[replacement]: New field.
---
 gnu/packages/xml.scm | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

Toggle diff (48 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ad2e3ec6c9..cbd33326e8 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016, 2017 Nikita <nikita@n0.is>
 ;;; Copyright © 2016–2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -121,6 +121,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.4.0)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -144,6 +145,24 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+;; Replacement package to fix CVE-2013-0340.
+(define expat-2.4.0
+  (package
+    (inherit expat)
+    (version "2.4.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.31.1

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKpxfw8cbWFyaXVzQGdu

dS5vcmcACgkQ6HGLpZEUEHdN7gEAqd57OAtYLb4Ax55KBrp/xcEsOgZpQP4FCCIR

QoIClgEA/AxHrXNrADEEFdw5vySvFRgyHcn1tr+CYZwZ+Ys76AsK

=jqio

-----END PGP SIGNATURE-----

Maxime Devos wrote on 23 May 2021 20:40

Recipients:

Message-ID:29e294edf8ccdb887acd74e5a65c77c2e974aa75.camel@telenet.be

Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:

Toggle quote (12 lines)> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?

Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.

Toggle quote (6 lines)

> In any case I've attached a patch that does just that and I'm currently

> using it on my system. I'm hesitant to push it because of the grafting

> cost and would like others opinion.

I would like others opinion as well.

Greetings,

Maxime.

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYKqhnhccbWF4aW1lZGV2

b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7myqAP9iks2IyXSISiDpBAjglrzQ9oKr

1WSnkoTvmrVMsEjL0AD/YFSW7UmmLUTqmZPzXjl+PWOioGN+E5NglOn0OsTvLgE=

=iESM

-----END PGP SIGNATURE-----

Leo Famulari wrote on 24 May 2021 19:06

Recipients:(name . Marius Bakke)(address . marius@gnu.org)(address . 48612@debbugs.gnu.org)

Message-ID:YKvdJ75zNMh+8aHw@jasmine.lan

On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:

Toggle quote (16 lines)> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.

Ludovic Courtès wrote on 27 May 2021 15:12

control message for bug #48612

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87zgwgl3qz.fsf@gnu.org

tags 48612 + security

quit

Leo Famulari wrote on 3 Jun 2021 05:16

Re: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)

Recipients:(name . Marius Bakke)(address . marius@gnu.org)(address . 48612-done@debbugs.gnu.org)

Message-ID:YLhJjeorZ1b9o4NK@jasmine.lan

On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:

Toggle quote (5 lines)

> I think it's okay to graft it. The distro is big enough that there will

> always be some grafted packages. However, I'd like to try ungrafting at

> regular periods; based on the current ungrafting build cycle, monthly

> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as

6d71f6a73cd27d61d3302b9658893428af6314d2

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 48612@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date