Created attachment 225223 [details] v1 Moin moin desktop@ would like to ask for an exp-run to update textproc/expat2 to 2.4.1 which includes a fix against the billion laughs attach CVE-2013-0340/CWE-776. The patch is attached and can also be found here: https://people.freebsd.org/~tcberner/patches/0001-textprox-expat2-update-to-2.4.1-fixes-CVE-2013-0340-.patch mfg Tobias
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4ff544422ffe21f039595fc312b2e4bff39a705c commit 4ff544422ffe21f039595fc312b2e4bff39a705c Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-05-24 15:02:45 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-24 15:02:45 +0000 security/vuxml: document vulnerability in texptroc/expat2 Security: CVE-2013-0340 PR: 256121 security/vuxml/vuln.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
Exp-run looks fine
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1454ab40206b85f94edb6390e0d96c9716a07399 commit 1454ab40206b85f94edb6390e0d96c9716a07399 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-05-24 14:38:28 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-05-27 08:56:26 +0000 textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776 See [1] for details: Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today (21-05-23). Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs. [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0 PR: 256121 Exp-run by: antoine textproc/expat2/Makefile | 4 +++- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 10 +++++----- 3 files changed, 11 insertions(+), 9 deletions(-)
Committed - thanks for the exp-run.
Any reason this shouldn't go into quarterly?
(In reply to Bryan Drewery from comment #5) Moin moin It's a bigger step from 2.2.10 (instead of 2.3.0) to 2.4.1 there -- so I did not really want to risk breakage. But given the CVE that is probably a risk worth taking. I guess I will risk it :) mfg Tobias
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7735cbdd131003bbbb0c9238f1468db734b89bc4 commit 7735cbdd131003bbbb0c9238f1468db734b89bc4 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-05-24 14:38:28 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-06-14 15:50:41 +0000 textprox/expat2: update to 2.4.1 -- fixes CVE-2013-0340/CWE-776 See [1] for details: Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today (21-05-23). Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs. [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0 PR: 256121 Exp-run by: antoine (cherry picked from commit 1454ab40206b85f94edb6390e0d96c9716a07399) textproc/expat2/Makefile | 13 +++++++++---- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 8 ++++++-- 3 files changed, 18 insertions(+), 9 deletions(-)