Greetings Guix, What's old is new again! Expat 2.4.0 was recently released with a fix for a denial of service issue dubbed "billion laughs attack":
https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes https://en.wikipedia.org/wiki/Billion_laughs_attack Seeing as this vulnerability appears to be eight years old and is "merely" a DoS: is it worth fixing on the 'master' branch (and re-grafting pretty much everything)? In any case I've attached a patch that does just that and I'm currently using it on my system. I'm hesitant to push it because of the grafting cost and would like others opinion.
From 2589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001 From: Marius Bakke <[email protected]> Date: Sun, 23 May 2021 14:22:16 +0200 Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340]. * gnu/packages/xml.scm (expat-2.4.0): New variable. (expat)[replacement]: New field. --- gnu/packages/xml.scm | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index ad2e3ec6c9..cbd33326e8 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2016 Jan Nieuwenhuizen <[email protected]> ;;; Copyright © 2016, 2017 Nikita <[email protected]> ;;; Copyright © 2016–2021 Tobias Geerinckx-Rice <[email protected]> -;;; Copyright © 2016, 2017, 2018, 2019, 2020 Marius Bakke <[email protected]> +;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <[email protected]> ;;; Copyright © 2017 Adriano Peluso <[email protected]> ;;; Copyright © 2017 Gregor Giesen <[email protected]> ;;; Copyright © 2017 Alex Vong <[email protected]> @@ -121,6 +121,7 @@ the entire document.") (package (name "expat") (version "2.2.9") + (replacement expat-2.4.0) (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch) @@ -144,6 +145,24 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +;; Replacement package to fix CVE-2013-0340. +(define expat-2.4.0 + (package + (inherit expat) + (version "2.4.0") + (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) + (origin + (method url-fetch) + (uri (list (string-append "mirror://sourceforge/expat/expat/" + version "/expat-" version ".tar.xz") + (string-append + "https://github.com/libexpat/libexpat/releases/download/R_"; + (string-map dot->underscore version) + "/expat-" version ".tar.xz"))) + (sha256 + (base32 + "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3"))))))) + (define-public libebml (package (name "libebml") -- 2.31.1
signature.asc
Description: PGP signature
