[PATCH] gnu: raptor2: Fix heap overflow bug.

Marius Bakke wrote on 8 Jun 2017 09:52

Recipients:(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)

Message-ID:20170608165252.29705-1-mbakke@fastmail.com

* gnu/packages/patches/raptor2-heap-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/rdf.scm (raptor2): Use it.
---
 gnu/local.mk                                     |  1 +
 gnu/packages/patches/raptor2-heap-overflow.patch | 51 ++++++++++++++++++++++++
 gnu/packages/rdf.scm                             |  2 +
 3 files changed, 54 insertions(+)
 create mode 100644 gnu/packages/patches/raptor2-heap-overflow.patch

Toggle diff (84 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index ab3fbb2d3..660b90cf7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -967,6 +967,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
   %D%/packages/patches/rapicorn-isnan.patch			\
+  %D%/packages/patches/raptor2-heap-overflow.patch		\
   %D%/packages/patches/ratpoison-shell.patch			\
   %D%/packages/patches/rcs-5.9.4-noreturn.patch			\
   %D%/packages/patches/readline-link-ncurses.patch		\
diff --git a/gnu/packages/patches/raptor2-heap-overflow.patch b/gnu/packages/patches/raptor2-heap-overflow.patch
new file mode 100644
index 000000000..ce2a4516f
--- /dev/null
+++ b/gnu/packages/patches/raptor2-heap-overflow.patch
@@ -0,0 +1,51 @@
+This patch addresses two heap overflow bugs in raptor2:
+
+http://seclists.org/oss-sec/2017/q2/424
+
+Patch copied from libreoffice:
+
+https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1
+
+From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
+From: Dave Beckett <dave@dajobe.org>
+Date: Sun, 16 Apr 2017 23:15:12 +0100
+Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
+
+(raptor_xml_writer_start_element_common): Calculate max including for
+each attribute a potential name and value.
+
+Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
+and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
+---
+ src/raptor_xml_writer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
+index 693b946..0d3a36a 100644
+--- a/src/raptor_xml_writer.c
++++ b/src/raptor_xml_writer.c
+@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+   size_t nspace_declarations_count = 0;  
+   unsigned int i;
+ 
+-  /* max is 1 per element and 1 for each attribute + size of declared */
+   if(nstack) {
+-    int nspace_max_count = element->attribute_count+1;
++    int nspace_max_count = element->attribute_count * 2; /* attr and value */
++    if(element->name->nspace)
++      nspace_max_count++;
+     if(element->declared_nspaces)
+       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
+     if(element->xml_language)
+@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+         }
+       }
+ 
+-      /* Add the attribute + value */
++      /* Add the attribute's value */
+       nspace_declarations[nspace_declarations_count].declaration=
+         raptor_qname_format_as_xml(element->attributes[i],
+                                    &nspace_declarations[nspace_declarations_count].length);
+-- 
+2.9.3
+
diff --git a/gnu/packages/rdf.scm b/gnu/packages/rdf.scm
index 7b7fe6085..6b5cfb013 100644
--- a/gnu/packages/rdf.scm
+++ b/gnu/packages/rdf.scm
@@ -53,6 +53,8 @@
              (method url-fetch)
              (uri (string-append "http://download.librdf.org/source/" name
                                  "-" version ".tar.gz"))
+             (patches
+              (search-patches "raptor2-heap-overflow.patch"))
              (sha256
               (base32
                "1vc02im4mpc28zxzgli68k6j0dakh0k3s389bm436yvqajxg19xd"))))
-- 
2.13.1

Leo Famulari wrote on 8 Jun 2017 10:09

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 27289@debbugs.gnu.org)

Message-ID:20170608170948.GC27164@jasmine

On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:

Toggle quote (4 lines)

> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.

> * gnu/local.mk (dist_patch_DATA): Register it.

> * gnu/packages/rdf.scm (raptor2): Use it.

Thanks, looks good for raptor2!

How about libreoffice itself? It bundles this library, but I'm not sure

if it's using the bundled copy or not.

Marius Bakke wrote on 8 Jun 2017 16:20

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 27289@debbugs.gnu.org)

Message-ID:87ink6m5hb.fsf@fastmail.com

Leo Famulari <leo@famulari.name> writes:

Toggle quote (10 lines)> On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:
>> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/rdf.scm (raptor2): Use it.
>
> Thanks, looks good for raptor2!
>
> How about libreoffice itself? It bundles this library, but I'm not sure
> if it's using the bundled copy or not.

I pushed this patch for raptor2; will look more closely into libreoffice

over the weekend.

Ludovic Courtès wrote on 20 Jul 2017 02:26

control message for bug #27289

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87y3rjwjb6.fsf@gnu.org

tags 27289 fixed

close 27289

Your comment

This issue is archived.

To comment on this conversation send an email to 27289@patchwise.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 27289

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date