Status of Haskell Platform 2014.2.0.0

Bryan O'Sullivan bos at serpentine.com
Tue Jul 15 20:59:38 UTC 2014


On Tue, Jul 15, 2014 at 1:43 PM, Mark Lentczner <mark.lentczner at gmail.com>
wrote:

> This is rather late to hear this... given that I plan to Alpha this
> weekend or sooner.
>
> Can you quantify the security fixes? Do they only revolve around floats?
>

Well, it was rather late to hear that you weren't going to upgrade
attoparsec, too ;-)

In brief, an attacker can DoS a user of attoparsec by handing them a
floating point number with a sufficiently large exponent (e.g.
1e1000000000). This will cause it to try to create an Integer with the
given number of digits, thus possibly OOMing a machine or crashing a
process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20140715/fc84345e/attachment.html>


More information about the Libraries mailing list