Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 926786 (CVE-2024-28757)

Summary: <dev-libs/expat-2.6.2: vulnerable to billion laughs attacks with isolated use of external parsers
Product: Gentoo Security Reporter: Sebastian Pipping <sping>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, sping
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
See Also: https://github.com/libexpat/libexpat/issues/838
https://github.com/libexpat/libexpat/issues/839
https://github.com/libexpat/libexpat/pull/842
Whiteboard: A3 [stable?]
Package list:
Runtime testing required: ---
Bug Depends on: 924601, 930032    
Bug Blocks: 923951    

Description Sebastian Pipping gentoo-dev 2024-03-11 23:40:40 UTC 
Quick heads up, upstream release 2.6.2 with the fix coming up shortly.
Comment 1 Larry the Git Cow gentoo-dev 2024-03-13 17:19:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5ae6bfa8a1411b05e9fbd76792144b7824e9379

commit b5ae6bfa8a1411b05e9fbd76792144b7824e9379
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2024-03-13 17:18:05 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2024-03-13 17:18:32 +0000

    dev-libs/expat: 2.6.2 with fix for CVE-2024-28757
    
    Bug: https://bugs.gentoo.org/926786
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 dev-libs/expat/Manifest           |   1 +
 dev-libs/expat/expat-2.6.2.ebuild | 101 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-17 04:03:50 UTC 
Please stable when ready.
Comment 3 Sebastian Pipping gentoo-dev 2024-03-17 12:39:04 UTC 
(In reply to John Helmert III from comment #2)
> Please stable when ready.

I'm biased about it (being Expat's upstream maintainer), but someone will have to make a decision whether bug #924601 is a blocker to stabilization or not, I'm adding it as a potential blocker for now until someone  else removes it as a conscious decision.  ClusterShell tests will break through stabilization, not sure if the application itself.  We could in theory try to get an answer on that from Clustershell upstream (just asked at https://github.com/cea-hpc/clustershell/pull/556#issuecomment-2002439361), before making a move, with a timeout of a few days maybe.  What do you think?

I'm also making bug #923951 depend on bug #926786 (right here), please adjust as you see fits.