[PATCH] gnu: raptor2: Fix heap overflow bug.

DoneSubmitted by Marius Bakke.
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 8 Jun 2017 18:52
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20170608165252.29705-1-mbakke@fastmail.com
* gnu/packages/patches/raptor2-heap-overflow.patch: New file.* gnu/local.mk (dist_patch_DATA): Register it.* gnu/packages/rdf.scm (raptor2): Use it.--- gnu/local.mk | 1 + gnu/packages/patches/raptor2-heap-overflow.patch | 51 ++++++++++++++++++++++++ gnu/packages/rdf.scm | 2 + 3 files changed, 54 insertions(+) create mode 100644 gnu/packages/patches/raptor2-heap-overflow.patch
Toggle diff (84 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex ab3fbb2d3..660b90cf7 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -967,6 +967,7 @@ dist_patch_DATA = \ %D%/packages/patches/qtscript-disable-tests.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \+ %D%/packages/patches/raptor2-heap-overflow.patch \ %D%/packages/patches/ratpoison-shell.patch \ %D%/packages/patches/rcs-5.9.4-noreturn.patch \ %D%/packages/patches/readline-link-ncurses.patch \diff --git a/gnu/packages/patches/raptor2-heap-overflow.patch b/gnu/packages/patches/raptor2-heap-overflow.patchnew file mode 100644index 000000000..ce2a4516f--- /dev/null+++ b/gnu/packages/patches/raptor2-heap-overflow.patch@@ -0,0 +1,51 @@+This patch addresses two heap overflow bugs in raptor2:++http://seclists.org/oss-sec/2017/q2/424++Patch copied from libreoffice:++https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1++From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001+From: Dave Beckett <dave@dajobe.org>+Date: Sun, 16 Apr 2017 23:15:12 +0100+Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer++(raptor_xml_writer_start_element_common): Calculate max including for+each attribute a potential name and value.++Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617+and #0000618 http://bugs.librdf.org/mantis/view.php?id=618+---+ src/raptor_xml_writer.c | 7 ++++---+ 1 file changed, 4 insertions(+), 3 deletions(-)++diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c+index 693b946..0d3a36a 100644+--- a/src/raptor_xml_writer.c++++ b/src/raptor_xml_writer.c+@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,+ size_t nspace_declarations_count = 0; + unsigned int i;+ +- /* max is 1 per element and 1 for each attribute + size of declared */+ if(nstack) {+- int nspace_max_count = element->attribute_count+1;++ int nspace_max_count = element->attribute_count * 2; /* attr and value */++ if(element->name->nspace)++ nspace_max_count++;+ if(element->declared_nspaces)+ nspace_max_count += raptor_sequence_size(element->declared_nspaces);+ if(element->xml_language)+@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,+ }+ }+ +- /* Add the attribute + value */++ /* Add the attribute's value */+ nspace_declarations[nspace_declarations_count].declaration=+ raptor_qname_format_as_xml(element->attributes[i],+ &nspace_declarations[nspace_declarations_count].length);+-- +2.9.3+diff --git a/gnu/packages/rdf.scm b/gnu/packages/rdf.scmindex 7b7fe6085..6b5cfb013 100644--- a/gnu/packages/rdf.scm+++ b/gnu/packages/rdf.scm@@ -53,6 +53,8 @@ (method url-fetch) (uri (string-append "http://download.librdf.org/source/" name "-" version ".tar.gz"))+ (patches+ (search-patches "raptor2-heap-overflow.patch")) (sha256 (base32 "1vc02im4mpc28zxzgli68k6j0dakh0k3s389bm436yvqajxg19xd"))))-- 2.13.1
L
L
Leo Famulari wrote on 8 Jun 2017 19:09
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 27289@debbugs.gnu.org)
20170608170948.GC27164@jasmine
On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:
Toggle quote (4 lines)> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.> * gnu/local.mk (dist_patch_DATA): Register it.> * gnu/packages/rdf.scm (raptor2): Use it.
Thanks, looks good for raptor2!
How about libreoffice itself? It bundles this library, but I'm not sureif it's using the bundled copy or not.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlk5hNwACgkQJkb6MLrKfwj6axAA7ZJYj3ruBA6genon/RmIQx3evpTV/jC3Ll0hu5Sty8QhfT7e0vy+6fpm9BFxqMzfofJ1XXKhUjQaF7q6OrQGHEMQ/hqW59qx+6Grib/ld+dI+FRYELLKQYrBT9yOkmKWgWli0Wy3d92XqGqTEzU+8dWr72oSk1UnrouaZCEok2dgdivLpRB4BLXJATiXbACD22Qn7X6E3lZZ/wmr/PEUTgcTyXd5HMUPForGmzCnEtKMgQuph36S5dx3Wiqtsc2YaZ2vIoGRlWHtybDBXFNamUHtZwVemi7NnQSyYlPt36ddnydN48zt2qpbG+bWOb0RY79NmwE0/N3SAg1NtCSNS8WZ1fHE4HGMbxMlV7jM43c6wAOmfk5WC0HVPUBTQG90fUXoCNIUVKIum55uU0R3d/x+/vRdHsrs+cxmxBKzKGxtXhcBhRjQgbBP+F70h4A3LjR6hUPHaLVoWT+mzosncl1ynHhz8ZvRfHz7S0MxWZ+wP/JyCr/purarDt0nJfwzxs9dKUAdhVXYA85yVeWbrSDGcD7iaE3nB0AidBskkazzrgASQdKjNFdMfxtOJhb1Z36NZnXwjViUs7I6257H93slv50OHzk40+SKFwjLfRO+c5tPKpRtczl4YdzHURWFxDh1wB7tzajQrdXE/2ymRDon/goGS5vJIzglaROGZpg==VCzZ-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 9 Jun 2017 01:20
(name . Leo Famulari)(address . leo@famulari.name)(address . 27289@debbugs.gnu.org)
87ink6m5hb.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (10 lines)> On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:>> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.>> * gnu/local.mk (dist_patch_DATA): Register it.>> * gnu/packages/rdf.scm (raptor2): Use it.>> Thanks, looks good for raptor2!>> How about libreoffice itself? It bundles this library, but I'm not sure> if it's using the bundled copy or not.
I pushed this patch for raptor2; will look more closely into libreofficeover the weekend.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk528AACgkQoqBt8qM6VPq8jQgAohOmjKHUogWPtbSk+Aih+VLWQOTx82ojUDA40DSe1nPM7ncAN/0xcFBNFc3hWcGMx5sN5c7g1uMcTSXBoSIOkTxmjDY65Lb8nBQTk6KkwTqxvQhcJWt+XoLRYK3zYHrIr0fB4DUrICFvoPAa23aNCAtFfcCsCn6olksqu/bZiWn/yN4G5N4/IvnPzQ0sYqbDnPkUSntVNkHD7dbEeWFqGRqY4qFMERKnM7BXmFqzc/YulpaDONckrDHWyOOh4lVRcts9Cd4I6N0cx6wPgMoB0/qlUkW64p/A9Ck9YktzQsUGrp714V38HyQlS0r4TvlSCHbwgN01YbUuk59XNdeD0w===p4yp-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 20 Jul 2017 11:26
control message for bug #27289
(address . control@debbugs.gnu.org)
87y3rjwjb6.fsf@gnu.org
tags 27289 fixedclose 27289
?
Your comment

This issue is archived.

To comment on this conversation send email to 27289@debbugs.gnu.org