926786 – (CVE-2024-28757) <dev-libs/expat-2.6.2: vulnerable to billion laughs attacks with isolated use of external parsers

Bug 926786 (CVE-2024-28757) - <dev-libs/expat-2.6.2: vulnerable to billion laughs attacks with isolated use of external parsers

Summary: <dev-libs/expat-2.6.2: vulnerable to billion laughs attacks with isolated use...

Status:	IN_PROGRESS

Alias:	CVE-2024-28757

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/libexpat/libexpat/...
Whiteboard:	A3 [stable?]
Keywords:

Depends on:	924601 930032
Blocks:	CVE-2023-52425
	Show dependency tree

Reported:	2024-03-11 23:40 UTC by Sebastian Pipping
Modified:	2024-04-14 22:00 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/libexpat/libexpat/issues/838 https://github.com/libexpat/libexpat/issues/839 https://github.com/libexpat/libexpat/pull/842
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2024-03-11 23:40:40 UTC

Quick heads up, upstream release 2.6.2 with the fix coming up shortly.

Comment 1 Larry the Git Cow gentoo-dev

2024-03-13 17:19:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5ae6bfa8a1411b05e9fbd76792144b7824e9379

commit b5ae6bfa8a1411b05e9fbd76792144b7824e9379
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2024-03-13 17:18:05 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2024-03-13 17:18:32 +0000

    dev-libs/expat: 2.6.2 with fix for CVE-2024-28757
    
    Bug: https://bugs.gentoo.org/926786
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 dev-libs/expat/Manifest           |   1 +
 dev-libs/expat/expat-2.6.2.ebuild | 101 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)

Comment 2 John Helmert III archtester

2024-03-17 04:03:50 UTC

Please stable when ready.

Comment 3 Sebastian Pipping gentoo-dev

2024-03-17 12:39:04 UTC

(In reply to John Helmert III from comment #2)
> Please stable when ready.

I'm biased about it (being Expat's upstream maintainer), but someone will have to make a decision whether bug #924601 is a blocker to stabilization or not, I'm adding it as a potential blocker for now until someone  else removes it as a conscious decision.  ClusterShell tests will break through stabilization, not sure if the application itself.  We could in theory try to get an answer on that from Clustershell upstream (just asked at https://github.com/cea-hpc/clustershell/pull/556#issuecomment-2002439361), before making a move, with a timeout of a few days maybe.  What do you think?

I'm also making bug #923951 depend on bug #926786 (right here), please adjust as you see fits.