On Tue, Jul 15, 2014 at 1:59 PM, Bryan O'Sullivan <bos@serpentine.com> wrote:
Well, it was rather late to hear that you weren't going to upgrade attoparsec, too ;-)


On Sun, Mar 30, 2014 at 1:06 PM, Mark Lentczner <mark.lentczner@gmail.com> wrote:
SO, In anticipation of releasing a HP shortly (1 month?) after GHC 7.8... I'd like to get going on nailing down package versions. 
     
        , incLib "attoparsec"               "0.10.4.0"

 
In brief, an attacker can DoS a user of attoparsec by handing them a floating point number with a sufficiently large exponent (e.g. 1e1000000000). This will cause it to try to create an Integer with the given number of digits, thus possibly OOMing a machine or crashing a process.

But only if you use the Data.Atooparsec.Text parsers doublenumber, and rational parser, right?

- Mark