[PATCH] gnu: raptor2: Fix heap overflow bug.

  • Done
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal

Debbugs page

M
M
Marius Bakke wrote on 8 Jun 2017 09:52
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20170608165252.29705-1-mbakke@fastmail.com
* gnu/packages/patches/raptor2-heap-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/rdf.scm (raptor2): Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/raptor2-heap-overflow.patch | 51 ++++++++++++++++++++++++
gnu/packages/rdf.scm | 2 +
3 files changed, 54 insertions(+)
create mode 100644 gnu/packages/patches/raptor2-heap-overflow.patch

Toggle diff (84 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index ab3fbb2d3..660b90cf7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -967,6 +967,7 @@ dist_patch_DATA = \
%D%/packages/patches/qtscript-disable-tests.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \
+ %D%/packages/patches/raptor2-heap-overflow.patch \
%D%/packages/patches/ratpoison-shell.patch \
%D%/packages/patches/rcs-5.9.4-noreturn.patch \
%D%/packages/patches/readline-link-ncurses.patch \
diff --git a/gnu/packages/patches/raptor2-heap-overflow.patch b/gnu/packages/patches/raptor2-heap-overflow.patch
new file mode 100644
index 000000000..ce2a4516f
--- /dev/null
+++ b/gnu/packages/patches/raptor2-heap-overflow.patch
@@ -0,0 +1,51 @@
+This patch addresses two heap overflow bugs in raptor2:
+
+http://seclists.org/oss-sec/2017/q2/424
+
+Patch copied from libreoffice:
+
+https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1
+
+From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
+From: Dave Beckett <dave@dajobe.org>
+Date: Sun, 16 Apr 2017 23:15:12 +0100
+Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
+
+(raptor_xml_writer_start_element_common): Calculate max including for
+each attribute a potential name and value.
+
+Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
+and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
+---
+ src/raptor_xml_writer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
+index 693b946..0d3a36a 100644
+--- a/src/raptor_xml_writer.c
++++ b/src/raptor_xml_writer.c
+@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+ size_t nspace_declarations_count = 0;
+ unsigned int i;
+
+- /* max is 1 per element and 1 for each attribute + size of declared */
+ if(nstack) {
+- int nspace_max_count = element->attribute_count+1;
++ int nspace_max_count = element->attribute_count * 2; /* attr and value */
++ if(element->name->nspace)
++ nspace_max_count++;
+ if(element->declared_nspaces)
+ nspace_max_count += raptor_sequence_size(element->declared_nspaces);
+ if(element->xml_language)
+@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+ }
+ }
+
+- /* Add the attribute + value */
++ /* Add the attribute's value */
+ nspace_declarations[nspace_declarations_count].declaration=
+ raptor_qname_format_as_xml(element->attributes[i],
+ &nspace_declarations[nspace_declarations_count].length);
+--
+2.9.3
+
diff --git a/gnu/packages/rdf.scm b/gnu/packages/rdf.scm
index 7b7fe6085..6b5cfb013 100644
--- a/gnu/packages/rdf.scm
+++ b/gnu/packages/rdf.scm
@@ -53,6 +53,8 @@
(method url-fetch)
(uri (string-append "http://download.librdf.org/source/" name
"-" version ".tar.gz"))
+ (patches
+ (search-patches "raptor2-heap-overflow.patch"))
(sha256
(base32
"1vc02im4mpc28zxzgli68k6j0dakh0k3s389bm436yvqajxg19xd"))))
--
2.13.1
L
L
Leo Famulari wrote on 8 Jun 2017 10:09
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 27289@debbugs.gnu.org)
20170608170948.GC27164@jasmine
On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:
Toggle quote (4 lines)
> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/rdf.scm (raptor2): Use it.

Thanks, looks good for raptor2!

How about libreoffice itself? It bundles this library, but I'm not sure
if it's using the bundled copy or not.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlk5hNwACgkQJkb6MLrK
fwj6axAA7ZJYj3ruBA6genon/RmIQx3evpTV/jC3Ll0hu5Sty8QhfT7e0vy+6fpm
9BFxqMzfofJ1XXKhUjQaF7q6OrQGHEMQ/hqW59qx+6Grib/ld+dI+FRYELLKQYrB
T9yOkmKWgWli0Wy3d92XqGqTEzU+8dWr72oSk1UnrouaZCEok2dgdivLpRB4BLXJ
ATiXbACD22Qn7X6E3lZZ/wmr/PEUTgcTyXd5HMUPForGmzCnEtKMgQuph36S5dx3
Wiqtsc2YaZ2vIoGRlWHtybDBXFNamUHtZwVemi7NnQSyYlPt36ddnydN48zt2qpb
G+bWOb0RY79NmwE0/N3SAg1NtCSNS8WZ1fHE4HGMbxMlV7jM43c6wAOmfk5WC0HV
PUBTQG90fUXoCNIUVKIum55uU0R3d/x+/vRdHsrs+cxmxBKzKGxtXhcBhRjQgbBP
+F70h4A3LjR6hUPHaLVoWT+mzosncl1ynHhz8ZvRfHz7S0MxWZ+wP/JyCr/purar
Dt0nJfwzxs9dKUAdhVXYA85yVeWbrSDGcD7iaE3nB0AidBskkazzrgASQdKjNFdM
fxtOJhb1Z36NZnXwjViUs7I6257H93slv50OHzk40+SKFwjLfRO+c5tPKpRtczl4
YdzHURWFxDh1wB7tzajQrdXE/2ymRDon/goGS5vJIzglaROGZpg=
=VCzZ
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 8 Jun 2017 16:20
(name . Leo Famulari)(address . leo@famulari.name)(address . 27289@debbugs.gnu.org)
87ink6m5hb.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (10 lines)
> On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:
>> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/rdf.scm (raptor2): Use it.
>
> Thanks, looks good for raptor2!
>
> How about libreoffice itself? It bundles this library, but I'm not sure
> if it's using the bundled copy or not.

I pushed this patch for raptor2; will look more closely into libreoffice
over the weekend.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk528AACgkQoqBt8qM6
VPq8jQgAohOmjKHUogWPtbSk+Aih+VLWQOTx82ojUDA40DSe1nPM7ncAN/0xcFBN
Fc3hWcGMx5sN5c7g1uMcTSXBoSIOkTxmjDY65Lb8nBQTk6KkwTqxvQhcJWt+XoLR
YK3zYHrIr0fB4DUrICFvoPAa23aNCAtFfcCsCn6olksqu/bZiWn/yN4G5N4/IvnP
zQ0sYqbDnPkUSntVNkHD7dbEeWFqGRqY4qFMERKnM7BXmFqzc/YulpaDONckrDHW
yOOh4lVRcts9Cd4I6N0cx6wPgMoB0/qlUkW64p/A9Ck9YktzQsUGrp714V38HyQl
S0r4TvlSCHbwgN01YbUuk59XNdeD0w==
=p4yp
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 20 Jul 2017 02:26
control message for bug #27289
(address . control@debbugs.gnu.org)
87y3rjwjb6.fsf@gnu.org
tags 27289 fixed
close 27289
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27289@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27289
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch