diff options
-rw-r--r-- | bus/config-loader-expat.c | 14 | ||||
-rw-r--r-- | configure.ac | 8 |
2 files changed, 22 insertions, 0 deletions
diff --git a/bus/config-loader-expat.c b/bus/config-loader-expat.c index b571fda3..27cbe2d0 100644 --- a/bus/config-loader-expat.c +++ b/bus/config-loader-expat.c @@ -203,6 +203,20 @@ bus_config_load (const DBusString *file, goto failed; } + /* We do not need protection against hash collisions (CVE-2012-0876) + * because we are only parsing trusted XML; and if we let Expat block + * waiting for the CSPRNG to be initialized, as it does by default to + * defeat CVE-2012-0876, it can cause timeouts during early boot on + * entropy-starved embedded devices. + * + * TODO: When Expat gets a more explicit API for this than + * XML_SetHashSalt, check for that too, and use it preferentially. + * https://github.com/libexpat/libexpat/issues/91 */ +#if defined(HAVE_XML_SETHASHSALT) + /* Any nonzero number will do. https://xkcd.com/221/ */ + XML_SetHashSalt (expat, 4); +#endif + if (!_dbus_string_get_dirname (file, &dirname)) { dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); diff --git a/configure.ac b/configure.ac index 52da11fb..c4022ed7 100644 --- a/configure.ac +++ b/configure.ac @@ -938,6 +938,14 @@ XML_CFLAGS= AC_SUBST([XML_CFLAGS]) AC_SUBST([XML_LIBS]) +save_cflags="$CFLAGS" +save_libs="$LIBS" +CFLAGS="$CFLAGS $XML_CFLAGS" +LIBS="$LIBS $XML_LIBS" +AC_CHECK_FUNCS([XML_SetHashSalt]) +CFLAGS="$save_cflags" +LIBS="$save_libs" + # Thread lib detection AC_ARG_VAR([THREAD_LIBS]) save_libs="$LIBS" |