Summary: | <dev-libs/expat-2.6.2: vulnerable to billion laughs attacks with isolated use of external parsers | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sebastian Pipping <sping> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | ajak, sping |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8 | ||
See Also: |
https://github.com/libexpat/libexpat/issues/838 https://github.com/libexpat/libexpat/issues/839 https://github.com/libexpat/libexpat/pull/842 |
||
Whiteboard: | A3 [stable] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 924601, 939074, 930032 | ||
Bug Blocks: | 923951 |
Description
Sebastian Pipping
2024-03-11 23:40:40 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5ae6bfa8a1411b05e9fbd76792144b7824e9379 commit b5ae6bfa8a1411b05e9fbd76792144b7824e9379 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2024-03-13 17:18:05 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2024-03-13 17:18:32 +0000 dev-libs/expat: 2.6.2 with fix for CVE-2024-28757 Bug: https://bugs.gentoo.org/926786 Signed-off-by: Sebastian Pipping <sping@gentoo.org> dev-libs/expat/Manifest | 1 + dev-libs/expat/expat-2.6.2.ebuild | 101 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) Please stable when ready. (In reply to John Helmert III from comment #2) > Please stable when ready. I'm biased about it (being Expat's upstream maintainer), but someone will have to make a decision whether bug #924601 is a blocker to stabilization or not, I'm adding it as a potential blocker for now until someone else removes it as a conscious decision. ClusterShell tests will break through stabilization, not sure if the application itself. We could in theory try to get an answer on that from Clustershell upstream (just asked at https://github.com/cea-hpc/clustershell/pull/556#issuecomment-2002439361), before making a move, with a timeout of a few days maybe. What do you think? I'm also making bug #923951 depend on bug #926786 (right here), please adjust as you see fits. |