Bug 256121 (expat-2.4.1) - [exp-run] texproc/expat2: update to 2.4.1 (fixes CVE-2013-0340/CWE-776)
Summary: [exp-run] texproc/expat2: update to 2.4.1 (fixes CVE-2013-0340/CWE-776)
Status: Closed FIXED
Alias: expat-2.4.1
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Tobias C. Berner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-24 14:42 UTC by Tobias C. Berner
Modified: 2021-07-20 07:13 UTC (History)
2 users (show)

See Also:
tcberner: merge-quarterly+
antoine: exp-run+


Attachments
v1 (2.39 KB, patch)
2021-05-24 14:42 UTC, Tobias C. Berner
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias C. Berner freebsd_committer freebsd_triage 2021-05-24 14:42:55 UTC
Created attachment 225223 [details]
v1

Moin moin 

desktop@ would like to ask for an exp-run to update textproc/expat2 to 2.4.1 which includes a fix against the billion laughs attach CVE-2013-0340/CWE-776.

The patch is attached and can also be found here:
https://people.freebsd.org/~tcberner/patches/0001-textprox-expat2-update-to-2.4.1-fixes-CVE-2013-0340-.patch

mfg Tobias
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-05-24 15:03:43 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4ff544422ffe21f039595fc312b2e4bff39a705c

commit 4ff544422ffe21f039595fc312b2e4bff39a705c
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-05-24 15:02:45 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-05-24 15:02:45 +0000

    security/vuxml: document vulnerability in texptroc/expat2

    Security:       CVE-2013-0340
    PR:             256121

 security/vuxml/vuln.xml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
Comment 2 Antoine Brodin freebsd_committer freebsd_triage 2021-05-27 08:26:56 UTC
Exp-run looks fine
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-05-27 08:58:07 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1454ab40206b85f94edb6390e0d96c9716a07399

commit 1454ab40206b85f94edb6390e0d96c9716a07399
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-05-24 14:38:28 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-05-27 08:56:26 +0000

    textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776

    See [1] for details:
            Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier
            today (21-05-23). Release 2.4.0 fixes long known security issue CVE-2013-0340 by
            adding protection against so-called Billion Laughs Attacks, a form of
            denial of service against applications accepting XML input, in all known
            variations, including recent flavor Parameter Laughs.

    [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0

    PR:             256121
    Exp-run by:     antoine

 textproc/expat2/Makefile  |  4 +++-
 textproc/expat2/distinfo  |  6 +++---
 textproc/expat2/pkg-plist | 10 +++++-----
 3 files changed, 11 insertions(+), 9 deletions(-)
Comment 4 Tobias C. Berner freebsd_committer freebsd_triage 2021-05-27 09:00:39 UTC
Committed - thanks for the exp-run.
Comment 5 Bryan Drewery freebsd_committer freebsd_triage 2021-06-09 16:49:54 UTC
Any reason this shouldn't go into quarterly?
Comment 6 Tobias C. Berner freebsd_committer freebsd_triage 2021-06-14 15:47:51 UTC
(In reply to Bryan Drewery from comment #5)
Moin moin 

It's a bigger step from 2.2.10 (instead of 2.3.0) to 2.4.1 there -- so I did not really want to risk breakage. But given the CVE that is probably a risk worth taking.

I guess I will risk it :)


mfg Tobias
Comment 7 commit-hook freebsd_committer freebsd_triage 2021-06-14 15:51:48 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7735cbdd131003bbbb0c9238f1468db734b89bc4

commit 7735cbdd131003bbbb0c9238f1468db734b89bc4
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-05-24 14:38:28 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-14 15:50:41 +0000

    textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776

    See [1] for details:
            Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier
            today (21-05-23). Release 2.4.0 fixes long known security issue CVE-2013-0340 by
            adding protection against so-called Billion Laughs Attacks, a form of
            denial of service against applications accepting XML input, in all known
            variations, including recent flavor Parameter Laughs.

    [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0

    PR:             256121
    Exp-run by:     antoine

    (cherry picked from commit 1454ab40206b85f94edb6390e0d96c9716a07399)

 textproc/expat2/Makefile  | 13 +++++++++----
 textproc/expat2/distinfo  |  6 +++---
 textproc/expat2/pkg-plist |  8 ++++++--
 3 files changed, 18 insertions(+), 9 deletions(-)