On Fri, Mar 12, 2010 at 7:10 PM, William A. Rowe Jr. <[email protected]> wrote: > On 3/12/2010 12:06 PM, Jorge Schrauwen wrote: >> I'm about to build the x64 binaries for on my website and AVG on my >> development machine throws this at me. >> >> Warning: XML Bomb: >> srclib/apr-util/test/data/billion-laughs.xml >> >> See attached screenshots, most likely harmless but not a nice welcome >> when unpacking the source. > > You would rather we not warn you of the vulnerability, when you compile > against > your existing expat? >
So it's AVG's that's broke? Still sucks that AVG makes it appear that the xml file is bad. On Fri, Mar 12, 2010 at 7:20 PM, Gregg L. Smith <[email protected]> wrote: > On Windows? > > My suggestion originally was to remove it only from the Win32 zip. > > Gregg Yep, this was with the windows source zip On Fri, Mar 12, 2010 at 7:16 PM, Gregg L. Smith <[email protected]> wrote: > Hi Jorge, > > I brought this up quite some time ago, which is why I have been moving away > from AVG since I was basically ignored here :-) That and AVG's many false > positives. What is worse is, that XML bomb wont hurt anything anymore, and > it can be gotten around AVG as well just by adding a certain amount of more > recursions. I will not post the exact number, but at some point it will be > bypassed. > > My thoughts on this is if this problem is fixed, why does there need to be a > test against it anymore other than breaking said fix in the future and > therefore becoming vulnerable again. > > > Gregg Oh didn't notice it back then, any recommendation for a for a free AV product for windows? Don't feel like forking over money to just run it on my test system which runs like... maybe 3h per httpd release to get my x64 binaries build. Well if it's harmless and posted before, sorry for not noticing the original post. Jorge
