GNU bug report logs - #27289
[PATCH] gnu: raptor2: Fix heap overflow bug.

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Thu, 8 Jun 2017 16:54:01 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27289 in the body.
You can then email your comments to 27289 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#27289; Package guix-patches. (Thu, 08 Jun 2017 16:54:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 08 Jun 2017 16:54:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: raptor2: Fix heap overflow bug.
Date: Thu,  8 Jun 2017 18:52:52 +0200

* gnu/packages/patches/raptor2-heap-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/rdf.scm (raptor2): Use it.
---
 gnu/local.mk                                     |  1 +
 gnu/packages/patches/raptor2-heap-overflow.patch | 51 ++++++++++++++++++++++++
 gnu/packages/rdf.scm                             |  2 +
 3 files changed, 54 insertions(+)
 create mode 100644 gnu/packages/patches/raptor2-heap-overflow.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ab3fbb2d3..660b90cf7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -967,6 +967,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
   %D%/packages/patches/rapicorn-isnan.patch			\
+  %D%/packages/patches/raptor2-heap-overflow.patch		\
   %D%/packages/patches/ratpoison-shell.patch			\
   %D%/packages/patches/rcs-5.9.4-noreturn.patch			\
   %D%/packages/patches/readline-link-ncurses.patch		\
diff --git a/gnu/packages/patches/raptor2-heap-overflow.patch b/gnu/packages/patches/raptor2-heap-overflow.patch
new file mode 100644
index 000000000..ce2a4516f
--- /dev/null
+++ b/gnu/packages/patches/raptor2-heap-overflow.patch
@@ -0,0 +1,51 @@
+This patch addresses two heap overflow bugs in raptor2:
+
+http://seclists.org/oss-sec/2017/q2/424
+
+Patch copied from libreoffice:
+
+https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1
+
+From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
+From: Dave Beckett <dave <at> dajobe.org>
+Date: Sun, 16 Apr 2017 23:15:12 +0100
+Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
+
+(raptor_xml_writer_start_element_common): Calculate max including for
+each attribute a potential name and value.
+
+Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
+and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
+---
+ src/raptor_xml_writer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
+index 693b946..0d3a36a 100644
+--- a/src/raptor_xml_writer.c
++++ b/src/raptor_xml_writer.c
+@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+   size_t nspace_declarations_count = 0;  
+   unsigned int i;
+ 
+-  /* max is 1 per element and 1 for each attribute + size of declared */
+   if(nstack) {
+-    int nspace_max_count = element->attribute_count+1;
++    int nspace_max_count = element->attribute_count * 2; /* attr and value */
++    if(element->name->nspace)
++      nspace_max_count++;
+     if(element->declared_nspaces)
+       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
+     if(element->xml_language)
+@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+         }
+       }
+ 
+-      /* Add the attribute + value */
++      /* Add the attribute's value */
+       nspace_declarations[nspace_declarations_count].declaration=
+         raptor_qname_format_as_xml(element->attributes[i],
+                                    &nspace_declarations[nspace_declarations_count].length);
+-- 
+2.9.3
+
diff --git a/gnu/packages/rdf.scm b/gnu/packages/rdf.scm
index 7b7fe6085..6b5cfb013 100644
--- a/gnu/packages/rdf.scm
+++ b/gnu/packages/rdf.scm
@@ -53,6 +53,8 @@
              (method url-fetch)
              (uri (string-append "http://download.librdf.org/source/" name
                                  "-" version ".tar.gz"))
+             (patches
+              (search-patches "raptor2-heap-overflow.patch"))
              (sha256
               (base32
                "1vc02im4mpc28zxzgli68k6j0dakh0k3s389bm436yvqajxg19xd"))))
-- 
2.13.1
Information forwarded to guix-patches <at> gnu.org:
bug#27289; Package guix-patches. (Thu, 08 Jun 2017 17:10:01 GMT) Full text and rfc822 format available.

Message #8 received at 27289 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 27289 <at> debbugs.gnu.org
Subject: Re: bug#27289: [PATCH] gnu: raptor2: Fix heap overflow bug.
Date: Thu, 8 Jun 2017 13:09:48 -0400

[Message part 1 (text/plain, inline)]
On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:
> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/rdf.scm (raptor2): Use it.

Thanks, looks good for raptor2!

How about libreoffice itself? It bundles this library, but I'm not sure
if it's using the bundled copy or not.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#27289; Package guix-patches. (Thu, 08 Jun 2017 23:21:02 GMT) Full text and rfc822 format available.

Message #11 received at 27289 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27289 <at> debbugs.gnu.org
Subject: Re: bug#27289: [PATCH] gnu: raptor2: Fix heap overflow bug.
Date: Fri, 09 Jun 2017 01:20:32 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Thu, Jun 08, 2017 at 06:52:52PM +0200, Marius Bakke wrote:
>> * gnu/packages/patches/raptor2-heap-overflow.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/rdf.scm (raptor2): Use it.
>
> Thanks, looks good for raptor2!
>
> How about libreoffice itself? It bundles this library, but I'm not sure
> if it's using the bundled copy or not.

I pushed this patch for raptor2; will look more closely into libreoffice
over the weekend.

[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 20 Jul 2017 09:27:02 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 27289 <at> debbugs.gnu.org and Marius Bakke <mbakke <at> fastmail.com> Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 20 Jul 2017 09:27:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 17 Aug 2017 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 4 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.