Ubuntu
lua-expat package

liblua5.1-expat0 vulnerable to "billion laughs" attack?

Bug #793582 reported by Patrick G.
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
lua-expat (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Binary package hint: liblua5.1-expat0

Name: liblua5.1-expat0
Latest version: 1.1.0-3ubuntu1
Release: natty (11.04)

Anything below LuaExpat 1.1.1 is vulnerable to the "billion laughs" attack.
Version 1.2.0 has been released.

http://article.gmane.org/gmane.comp.lang.lua.general/79336

Is the Ubuntu supplied version vulnerable?

The Jabber Server "Prosody" ( http://prosody.im/doc/depends#luaexpat ) is using luaexpat.

---

Description: Ubuntu 11.04
Release: 11.04

liblua5.1-expat0:
  Installed: 1.1.0-3ubuntu1
  Candidate: 1.1.0-3ubuntu1
  Version table:
 *** 1.1.0-3ubuntu1 0
        500 http://de.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages
        100 /var/lib/dpkg/status

See original description
Patrick G. (elgato)
description: updated
Revision history for this message
Patrick G. (elgato) wrote :

Debian Wheezy offers 1.2.0-1
Ubuntu Oneiric does not :(

http://packages.debian.org/wheezy/liblua5.1-expat0

Revision history for this message
Patrick G. (elgato) wrote :

Workaround:

Debian Package works fine on Ubuntu.

http://packages.debian.org/wheezy/i386/liblua5.1-expat0/download

dpkg -i liblua5.1-expat0_1.2.0-1_i386.deb

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
Changed in lua-expat (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Patrick G. (elgato) wrote :

Thank you for the info.

But i really don't know how to create a proper debdiff file.
If i use debdiff with those two debs i just get this:

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libc6 (>= [-2.4),-] {+2.1.3),+} libexpat1 (>= 1.95.8)
Maintainer: [-Ubuntu Developers <email address hidden>-]
[-Original-Maintainer:-] Enrico Tassi <email address hidden>
Version: [-1.1.0-3ubuntu1-] {+1.2.0-1+}

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.