Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#4861 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 11.0
Component: Book Version: git
Severity: normal Keywords:


New minor version.

Change History (5)

comment:1 by Bruce Dubbs, 3 years ago

Summary: expat-2.4.0expat-2.4.1

Now version 2.4.1.

comment:2 by Bruce Dubbs, 3 years ago

Release 2.4.1 Sun May 23 2021

Bug fixes:

  • Autotools: Fix installed header expat_config.h for multilib systems; regression introduced in 2.4.0

Other changes:

Release 2.4.0 Sun May 23 2021 Security fixes:

  • CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks (denial-of-service; flavors targeting CPU time or RAM or both, leveraging general entities or parameter entities or both) by tracking and limiting the input amplification factor (<amplification> := (<direct> + <indirect>) / <direct>). By conservative default, amplification up to a factor of 100.0 is tolerated and rejection only starts after 8 MiB of output bytes (=<direct> + <indirect>) have been processed.

The fix adds the following to the API:

  • A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to signals this specific condition.
  • Two new API functions ..
    • XML_SetBillionLaughsAttackProtectionMaximumAmplification and
    • XML_SetBillionLaughsAttackProtectionActivationThreshold to further tighten billion laughs protection parameters when desired. Please see file "doc/reference.html" for details. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat.
  • Two new XML_FEATURE_* constants ..
    • that can be queried using the XML_GetFeatureList function, and
    • that are shown in "xmlwf -v" output.
  • Two new environment variable switches ..
    • EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
    • EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting and entity processing. Specific behavior of these values may change in the future.
  • Two new command line arguments "-a FACTOR" and "-b BYTES" for xmlwf to further tighten billion laughs protection parameters when desired. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat.

Bug fixes:

  • For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault for UTF-16 payloads containing CDATA sections.
  • Autotools: Fix generated CMake files for non-64bit and non-Linux platforms (e.g. macOS and MinGW in particular) that were introduced with release 2.3.0

Other changes:

  • xmlwf: Improve help output and the xmlwf man page
  • xmlwf: Improve maintainability through some refactoring
  • xmlwf: Fix man page DocBook validity
  • CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR and CMAKE_INSTALL_INCLUDEDIR
  • CMake: Add support for standard variable BUILD_SHARED_LIBS
  • Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
  • Resolve macro HAVE_EXPAT_CONFIG_H
  • Delete unused legacy helper file "conftools/PrintPath"
  • Improve attribution
  • doc/reference.html: Fix XHTML validity
  • doc/reference.html: Replace the 90s look by OK.css
  • Version info bumped from 8:0:7 to 9:0:8 due to addition of new symbols and error codes; see for what these numbers do


  • CI: Enable periodic runs
  • CI: Start covering the list of exported symbols
  • CI: Isolate coverage task
  • CI: Adapt to breaking changes in image "ubuntu-18.04"
  • CI: Cover well-formedness and DocBook/XHTML validity of doc/reference.html and doc/xmlwf.xml

comment:3 by Bruce Dubbs, 3 years ago

Resolution: fixed
Status: newclosed

Fixed at af4f4bfa8ccaa4e88bbe8bc13a17f7e3240a5cb6

Package updates.
    Update to iana-etc-20210526.
    Update to vim-8.2.2890.
    Update to zstd-1.5.0.
    Update to perl-5.34.0.
    Update to inux-5.12.7.
    Update to libcap-2.50.
    Update to kmod-29.
    Update to expat-2.4.1.
    Update to elfutils-0.185.
    Update to bc-4.0.2.

comment:4 by ken@…, 3 years ago

Priority: normalhigh

Retrospectively increasing the priority to high (in the absence of an Elevated option in LFS), in fact the severity is probably only Medium. That CVE was fixed in expat-2.2, looks as if the error either got reintroduced at some point, or the fix was incomplete. No current score at NVD, but they agree it was fixed in 2.4.0.

comment:5 by ken@…, 3 years ago

Security Advisory SA 10.1-052 created.

It looks as if the protection against DoS has been enhanced, i.e. this does not fix a fresh vulnerability.

Note: See TracTickets for help on using tickets.