Re-transpile from Expat >=2.4.0 to gain protection against Billion Laughs Attacks (CVE-2013-0340)?

[hartwork]

Hi!

Expat is protecting against Billion Laughs Attacks since release 2.4.0, release 2.4.1 being the latest upstream. Is there interest in re-transpiling to import that fix to CVE-2013-0340 into rexpat?

Best, Sebastian

[ahomescu]

We have a large stack of changes on top of the previous transpilation, and re-transpiling would break all of them so it would probably be a huge amount of work.

It might be easier to port all the changes since 2.2.9 manually to our code, or at least the fix you mentioned. We'll need to take a look at that and see how much effort it would be (compared to re-transpiling).

[hartwork]

I understand. Thanks for your reply!

[ahomescu]

I looked at the list of recent expat commits, and it looks like porting those over is also a giant task. I'm reconsidering your proposal of re-transpiling, it might work if we did that on a new branch and then rebased all our rewrites on top of it. That's still a non-trivial amount of work, but we can give it a try when we have some spare cycles.

[hartwork]

Cool! Thanks for the update.