15 Jul
2014
15 Jul
'14
4:59 p.m.
On Tue, Jul 15, 2014 at 1:43 PM, Mark Lentczner
This is rather late to hear this... given that I plan to Alpha this weekend or sooner.
Can you quantify the security fixes? Do they only revolve around floats?
Well, it was rather late to hear that you weren't going to upgrade attoparsec, too ;-) In brief, an attacker can DoS a user of attoparsec by handing them a floating point number with a sufficiently large exponent (e.g. 1e1000000000). This will cause it to try to create an Integer with the given number of digits, thus possibly OOMing a machine or crashing a process.