Techly NewsGet the app

Get the latest tech news

Recursion kills: The story behind CVE-2024-8176 in libexpat


/ Expat 2.7.0 released, includes security fixes For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99.

In July 2022 — roughly two and a half years ago — Jann Horn of Google Project Zero and Spectre/Meltdown fame reached out to me via e-mail with a finding in libexpat, including an idea for a fix. That it would be a pile of work, not a good match to my unpaid voluntary role in Expat as an addition to my unrelated-to-Expat day job, and not without risk without a partner at detail level on the topic. One reason why I was objecting to publication without a fix was that it was clear that in lack of a cheap clean fix, vendors and distributions would start applying quick hacks that would produce false positives (i.e. rejecting well-formed benign XML misclassified as an attack), leave half of the issue unfixed, and leave the ecosystem with a potentially heterogeneous state of downstream patches where — say — in openSUSE a file would be rejected but in Debian it would parse fine — or the other way around: a great mess.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of story

story

Photo of recursion

recursion

Photo of libexpat

libexpat

Related news:

News photo

Monster Hunter Wilds' popularity due to emphasis on story, says series producer

News photo

Social Security Workers Aren’t Allowed to Read This Story

News photo

"It all felt a bit like running a street gang": The story of Stalker, and the Stalker 2 that never was

« Facebook creators can now monetize their Stories
Voker (YC S24) is hiring an LA-based full stack AI software engineer »