Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 791703

Summary: <dev-libs/expat-2.4.0: Vulnerable to "Billion Laughs Attack" (CVE-2013-0340)
Product: Gentoo Security Reporter: Sebastian Pipping <sping>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: freedesktop-bugs, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes#L19
See Also: https://bugs.gentoo.org/show_bug.cgi?id=458742
Whiteboard: A3 [glsa+]
Package list:
dev-libs/expat-2.4.1
 Runtime testing required: ---

Description Sebastian Pipping gentoo-dev 2021-05-23 19:09:02 UTC 
As suggested, I am not re-using bug #458742 but creating a new ticket…

I have pushed dev-libs/expat-2.4.1 earlier today.  Release 2.4.0 fixed long unfixed CVE-2013-0340 at the source.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-24 03:06:37 UTC 
Thanks sping. Let us know when it's ready to stable.

(aside: register your nick on Libera now we're migrating there? Maybe even hang around afterwards! ;))
Comment 2 NATTkA bot gentoo-dev 2021-05-24 03:08:20 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-05-24 23:28:22 UTC Comment hidden (obsolete)
Comment 4 Sebastian Pipping gentoo-dev 2021-05-24 23:34:29 UTC 
(In reply to Sam James from comment #1)
> Thanks sping. Let us know when it's ready to stable.

I'm happy with any date.  What would be your preferences?


> (aside: register your nick on Libera now we're migrating there? Maybe even
> hang around afterwards! ;))

Thanks for the nudge about it, I just registered.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-26 17:49:01 UTC 
We usually go faster for security bugs but try to balance the risk of the changes since the last version against the severity of any bugs.

Whenever you’re happy (could be now, or a week), we’ll add CC-ARCHES.
Comment 6 Sebastian Pipping gentoo-dev 2021-05-27 10:32:59 UTC 
(In reply to Sam James from comment #5)
> Whenever you’re happy (could be now, or a week), we’ll add CC-ARCHES.

Alright, let's go! :)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 19:36:48 UTC 
arm64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 19:38:51 UTC 
arm done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-28 00:28:28 UTC 
x86 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-28 00:28:32 UTC 
amd64 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-28 00:28:40 UTC 
ppc done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-28 00:28:42 UTC 
ppc64 done
Comment 13 Agostino Sarubbo gentoo-dev 2021-05-28 12:05:09 UTC 
sparc stable
Comment 14 Rolf Eike Beer archtester 2021-05-28 15:49:24 UTC 
hppa stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-28 19:31:28 UTC 
Please cleanup, thanks!
Comment 16 Larry the Git Cow gentoo-dev 2021-05-28 21:23:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90eadb7bb21b4941c9d6297c0725edef87e49837

commit 90eadb7bb21b4941c9d6297c0725edef87e49837
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2021-05-28 21:21:38 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2021-05-28 21:22:54 +0000

    dev-libs/expat: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/791703
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.19, Repoman-3.0.3

 dev-libs/expat/Manifest            |  2 -
 dev-libs/expat/expat-2.2.10.ebuild | 99 --------------------------------------
 dev-libs/expat/expat-2.3.0.ebuild  | 99 --------------------------------------
 3 files changed, 200 deletions(-)
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-30 16:10:37 UTC 
Thanks!
Comment 18 NATTkA bot gentoo-dev 2022-01-23 20:56:52 UTC 
Unable to check for sanity:

> no match for package: dev-libs/expat-2.4.1
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 16:52:54 UTC 
GLSA request filed
Comment 20 Larry the Git Cow gentoo-dev 2022-09-29 14:48:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=03f0a34b2dd087d0388307c6a72febd44202bb20

commit 03f0a34b2dd087d0388307c6a72febd44202bb20
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:24:39 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:02 +0000

    [ GLSA 202209-24 ] Expat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/791703
    Bug: https://bugs.gentoo.org/830422
    Bug: https://bugs.gentoo.org/831918
    Bug: https://bugs.gentoo.org/833431
    Bug: https://bugs.gentoo.org/870097
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-24.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:54:09 UTC 
GLSA released, all done!