Expat "billion laughs attack" vulnerability (CVE-2013-0340)

DoneSubmitted by Marius Bakke.
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Maxime Devos
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 23 May 17:15 +0200
(address . bug-guix@gnu.org)
87bl91qy68.fsf@gnu.org
Greetings Guix,
What's old is new again! Expat 2.4.0 was recently released with afix for a denial of service issue dubbed "billion laughs attack":
https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes https://en.wikipedia.org/wiki/Billion_laughs_attack
Seeing as this vulnerability appears to be eight years old and is"merely" a DoS: is it worth fixing on the 'master' branch (andre-grafting pretty much everything)?
In any case I've attached a patch that does just that and I'm currentlyusing it on my system. I'm hesitant to push it because of the graftingcost and would like others opinion.
From 2589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001From: Marius Bakke <marius@gnu.org>Date: Sun, 23 May 2021 14:22:16 +0200Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].
* gnu/packages/xml.scm (expat-2.4.0): New variable.(expat)[replacement]: New field.--- gnu/packages/xml.scm | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-)
Toggle diff (48 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex ad2e3ec6c9..cbd33326e8 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -13,7 +13,7 @@ ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2016, 2017 Nikita <nikita@n0.is> ;;; Copyright © 2016–2021 Tobias Geerinckx-Rice <me@tobias.gr>-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org> ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com> ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net> ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>@@ -121,6 +121,7 @@ the entire document.") (package (name "expat") (version "2.2.9")+ (replacement expat-2.4.0) (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch)@@ -144,6 +145,24 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +;; Replacement package to fix CVE-2013-0340.+(define expat-2.4.0+ (package+ (inherit expat)+ (version "2.4.0")+ (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))+ (origin+ (method url-fetch)+ (uri (list (string-append "mirror://sourceforge/expat/expat/"+ version "/expat-" version ".tar.xz")+ (string-append+ "https://github.com/libexpat/libexpat/releases/download/R_"+ (string-map dot->underscore version)+ "/expat-" version ".tar.xz")))+ (sha256+ (base32+ "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3")))))))+ (define-public libebml (package (name "libebml")-- 2.31.1
-----BEGIN PGP SIGNATURE-----
iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKpxfw8cbWFyaXVzQGdudS5vcmcACgkQ6HGLpZEUEHdN7gEAqd57OAtYLb4Ax55KBrp/xcEsOgZpQP4FCCIRQoIClgEA/AxHrXNrADEEFdw5vySvFRgyHcn1tr+CYZwZ+Ys76AsK=jqio-----END PGP SIGNATURE-----
M
M
Maxime Devos wrote on 23 May 20:40 +0200
29e294edf8ccdb887acd74e5a65c77c2e974aa75.camel@telenet.be
Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
Toggle quote (12 lines)> Greetings Guix,> > What's old is new again! Expat 2.4.0 was recently released with a> fix for a denial of service issue dubbed "billion laughs attack":> > https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes> https://en.wikipedia.org/wiki/Billion_laughs_attack> > Seeing as this vulnerability appears to be eight years old and is> "merely" a DoS: is it worth fixing on the 'master' branch (and> re-grafting pretty much everything)?
Since this is ‘merely’ a DoS that does not lead to an exploit, Iwould simply upgrade the package on 'core-updates'. However, I don'trun any servers. At worst, an attacker could bring down a computer orburn CPU cyles but nothing else. Bad, but not an exploit and not wortha graft in my opinion. If this attack is found to cause an annoyance inthe wild, we can easily add a graft later.
Toggle quote (6 lines)> > In any case I've attached a patch that does just that and I'm currently> using it on my system. I'm hesitant to push it because of the grafting> cost and would like others opinion.>
I would like others opinion as well.
Greetings,Maxime.
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYKqhnhccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7myqAP9iks2IyXSISiDpBAjglrzQ9oKr1WSnkoTvmrVMsEjL0AD/YFSW7UmmLUTqmZPzXjl+PWOioGN+E5NglOn0OsTvLgE==iESM-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 24 May 19:06 +0200
(name . Marius Bakke)(address . marius@gnu.org)(address . 48612@debbugs.gnu.org)
YKvdJ75zNMh+8aHw@jasmine.lan
On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
Toggle quote (16 lines)> Greetings Guix,> > What's old is new again! Expat 2.4.0 was recently released with a> fix for a denial of service issue dubbed "billion laughs attack":> > https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes> https://en.wikipedia.org/wiki/Billion_laughs_attack> > Seeing as this vulnerability appears to be eight years old and is> "merely" a DoS: is it worth fixing on the 'master' branch (and> re-grafting pretty much everything)?> > In any case I've attached a patch that does just that and I'm currently> using it on my system. I'm hesitant to push it because of the grafting> cost and would like others opinion.
I think it's okay to graft it. The distro is big enough that there willalways be some grafted packages. However, I'd like to try ungrafting atregular periods; based on the current ungrafting build cycle, monthlymay be reasonable.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCr3SMACgkQJkb6MLrKfwghXhAA2KUMqEPFtcwAVtp9RJ2ejGS3MIF/52ADnAtvvyEXQK8S6W+se6Ob96JxMhMbGbb/J+qxlCkzNUCbXX2Pyw1Js89NdkjfpMLyFr3kHBDHoV307iCmvkKEedI72vU1PMB7sxpOec48Kn2tgGc1Yy1FMfr/4bT48DEGrE/xF5vMmgUlR91C+EAM0eYi+JGLlOCY8qMTorEB5wDphamPwbk/ZN9OnEZo3L6hZP6cNpV8oRxVar1XFjUjVIQNN/pNJ9i6nENrbwd60TmAFtWNBiSag/YRSg7wRry6uoAeuwmZhcis7jkKdYBdg3FUSFKldHcHQ79DYdPK/ceZLfHlRdxEbbZdwK4dtJS/huWy10DX58sXMdtgzCwNz+Fja47e5qson0NtdR77pbu1/B90N9GBzX+hU3KWkNXfx+OFG0JkycvW17z3G55XDKdQ6ozCHIoedX5tT+Pp9JnJrKwSwY1/VBab6xD9p0Vhx7wsySZzGu65FE3e1tM9e0l64zj2uudKKXOm6Fu/NNguryn8RW6hQEoTHisBn8lYaMMdB2G7O/k+bXspQysHsCz2EZ1XN9CWFnugULj0fndavUGXqDHUgSgJYESAQ8zeCtm3Ic7eGk9Ieoy/9zZc7YvWnvTbnmjF3hUB0ggZsjiUeovbAXO0Ti2ukzH3PgUSvdSi6bCrXvU==pbNl-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 27 May 15:12 +0200
control message for bug #48612
(address . control@debbugs.gnu.org)
87zgwgl3qz.fsf@gnu.org
tags 48612 + securityquit
L
L
Leo Famulari wrote on 3 Jun 05:16 +0200
Re: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
(name . Marius Bakke)(address . marius@gnu.org)(address . 48612-done@debbugs.gnu.org)
YLhJjeorZ1b9o4NK@jasmine.lan
On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)> I think it's okay to graft it. The distro is big enough that there will> always be some grafted packages. However, I'd like to try ungrafting at> regular periods; based on the current ungrafting build cycle, monthly> may be reasonable.
I updated your patch to use expat 2.4.1 and pushed as6d71f6a73cd27d61d3302b9658893428af6314d2
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SYwACgkQJkb6MLrKfwhQ+A//QDsBUWnEmBmfrsvWhg8sRH1c606Uz+AHfloFaRk82aSCauCrv4uFI1z881aOw2KAJhyv/wmC9VXsannnD5ZaFtjJtzEaWJ5x79sJIIe8/bLmqI4t0QR5re66tCgK7FecF9HJ6+GeNJCHU4o/3PeN1BZ8ECqP9nZkXHe7kUQFMN1Eln3zK79BygwAEJaVF1Yay6qMmW8U5jIQtnTA88x6iGZU4UHYOjbpUmWL1TpeRVrz36EPQc4rp0ubvE+2PrNLqyYd0VdrLfKTGREle5iuFc8YOTh4QiRT1aqnQkxePqURrQMGbBmzDHNMqKgeGvTb/OSiqciJ3lZVfVRIy4FjCgJRKRgIp2o6c65Y9IjWmmOpQmgBsrhPipRjhWWn3Dz/82qIT+2sE8T3HVqsUrofOCktCG4DP/NWBG3N+c+xy2/KcpuU5QTPqq6jponMZ8PsP13AqYLIYk6mdqqY55u7UKafUNiHB69dDsr9ZFimKQsQ3DkUnxEE0qHiqL1GHTFzTJNpH8iSjLesy8KTXSADzUXRy7bT9sySkwPSd5p4lW5msGcKtsBTmarGvBrTFJ/tdLr6JSR0M0tCB/zk2hLiSvStf/Ei9oo670es90SRCPAQrdr/+C+jNq6GHGJ4eDhBtr28qpnzDqohe90LakzM7g2p8XsrTDkEgba1DI0yFeg==MbDa-----END PGP SIGNATURE-----

Closed
?