Status of Haskell Platform 2014.2.0.0
Bryan O'Sullivan
bos at serpentine.com
Tue Jul 15 20:59:38 UTC 2014
On Tue, Jul 15, 2014 at 1:43 PM, Mark Lentczner <mark.lentczner at gmail.com>
wrote:
> This is rather late to hear this... given that I plan to Alpha this
> weekend or sooner.
>
> Can you quantify the security fixes? Do they only revolve around floats?
>
Well, it was rather late to hear that you weren't going to upgrade
attoparsec, too ;-)
In brief, an attacker can DoS a user of attoparsec by handing them a
floating point number with a sufficiently large exponent (e.g.
1e1000000000). This will cause it to try to create an Integer with the
given number of digits, thus possibly OOMing a machine or crashing a
process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/ghc-devs/attachments/20140715/fc84345e/attachment.html>
More information about the ghc-devs
mailing list