Date: Mon, 9 Nov 2020 05:30:11 +0000 (UTC) From: "Tobias C. Berner" <tcberner@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r554671 - in head/textproc/raptor2: . files Message-ID: <202011090530.0A95UBg3060611@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tcberner Date: Mon Nov 9 05:30:10 2020 New Revision: 554671 URL: https://svnweb.freebsd.org/changeset/ports/554671 Log: textproc/raptor2 heap overflow According to https://www.openwall.com/lists/oss-security/2017/06/07/1 there are two heap overflows in raptor 2.0.15. A CVE has been assigned: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18926 The upstream raptor github repo has a patch: https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f.patch PR: 250971 Submitted by: truckman MFH: 2020Q4 Security: CVE-2017-18926 Added: head/textproc/raptor2/files/ head/textproc/raptor2/files/patch-CVE-2017-18926 (contents, props changed) Modified: head/textproc/raptor2/Makefile Modified: head/textproc/raptor2/Makefile ============================================================================== --- head/textproc/raptor2/Makefile Mon Nov 9 05:28:05 2020 (r554670) +++ head/textproc/raptor2/Makefile Mon Nov 9 05:30:10 2020 (r554671) @@ -3,7 +3,7 @@ PORTNAME= raptor2 PORTVERSION= 2.0.15 -PORTREVISION= 15 +PORTREVISION= 16 CATEGORIES= textproc MASTER_SITES= http://download.librdf.org/source/ \ SF/librdf/${PORTNAME}/${PORTVERSION} Added: head/textproc/raptor2/files/patch-CVE-2017-18926 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/textproc/raptor2/files/patch-CVE-2017-18926 Mon Nov 9 05:30:10 2020 (r554671) @@ -0,0 +1,40 @@ +From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001 +From: Dave Beckett <dave@dajobe.org> +Date: Sun, 16 Apr 2017 23:15:12 +0100 +Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer + +(raptor_xml_writer_start_element_common): Calculate max including for +each attribute a potential name and value. + +Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617 +and #0000618 http://bugs.librdf.org/mantis/view.php?id=618 +--- + src/raptor_xml_writer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git src/raptor_xml_writer.c.orig src/raptor_xml_writer.c +index 693b9468..0d3a36a5 100644 +--- src/raptor_xml_writer.c.orig ++++ src/raptor_xml_writer.c +@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, + size_t nspace_declarations_count = 0; + unsigned int i; + +- /* max is 1 per element and 1 for each attribute + size of declared */ + if(nstack) { +- int nspace_max_count = element->attribute_count+1; ++ int nspace_max_count = element->attribute_count * 2; /* attr and value */ ++ if(element->name->nspace) ++ nspace_max_count++; + if(element->declared_nspaces) + nspace_max_count += raptor_sequence_size(element->declared_nspaces); + if(element->xml_language) +@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, + } + } + +- /* Add the attribute + value */ ++ /* Add the attribute's value */ + nspace_declarations[nspace_declarations_count].declaration= + raptor_qname_format_as_xml(element->attributes[i], + &nspace_declarations[nspace_declarations_count].length);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011090530.0A95UBg3060611>