Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621186 (CVE-2017-18926)

Summary: <media-libs/raptor-2.0.15-r1: two heap overflows
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: sound
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/06/07/1
Whiteboard: A4 [noglsa]
Package list:
media-libs/raptor-2.0.15-r1
 Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-06-08 07:40:15 UTC 
From ${URL} :

raptor is a library to parse rdf data. Notably it is used by
libreoffice.

I reported two heap overflows in april. The bug reports are private
http://bugs.librdf.org/mantis/view.php?id=617
http://bugs.librdf.org/mantis/view.php?id=618

Both are fixed by the same commit:
https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1

I also informed the libreoffice security team.

No new release has been made yet. I'm pasting the content of my bug
reports below, poc files attached.


----------------------
Summary	0000617: heap buffer overflow in raptor_qname_format_as_xml
Description	The attached file will cause a heap buffer overflow in raptor. Can be tested with the rapper command line tool.

This is a security bug, so I'm marking this private.

Here's a stack trace of the crash (from address sanitizer):
==24627==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000002090 at pc 0x000000529a9c bp 0x7fffc7e52060 sp 0x7fffc7e52058
WRITE of size 8 at 0x604000002090 thread T0
    #0 0x529a9b in raptor_qname_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_qname.c:666:15
    #1 0x5cb770 in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:242:9
    #2 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3
    #3 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9
    #4 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830
    #5 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5
    #6 0x7efcbd5decad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad)
    #7 0x7efcbd5ec323 (/usr/lib64/libxml2.so.2+0x4f323)
    #8 0x7efcbd5ed3ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba)
    #9 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10
    #10 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8
    #11 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10
    #12 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554
    #13 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8
    #14 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8
    #15 0x7efcbc4d52b0 in __libc_start_main (/lib64/libc.so.6+0x202b0)
    #16 0x41b919 in _start (/r/raptor/rapper+0x41b919)


------------------

Summary	0000618: heap buffer overflow in raptor_xml_writer_start_element_common
Description	The attached file will cause a heap buffer overflow and crash raptor. This was found via fuzzing with the tool american fuzzy lop.

This is a security bug, so I'm marking it private.

Here's a stack trace (from address sanitizer):
==3322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000001f88 at pc 0x0000005ccdbc bp 0x7ffe62bb8540 sp 0x7ffe62bb8538
WRITE of size 8 at 0x604000001f88 thread T0
    #0 0x5ccdbb in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:241:65
    #1 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3
    #2 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9
    #3 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830
    #4 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5
    #5 0x7f5125ce9cad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad)
    #6 0x7f5125cf7323 (/usr/lib64/libxml2.so.2+0x4f323)
    #7 0x7f5125cf83ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba)
    #8 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10
    #9 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8
    #10 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10
    #11 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554
    #12 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8
    #13 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8
    #14 0x7f5124be02b0 in __libc_start_main (/lib64/libc.so.6+0x202b0)
    #15 0x41b919 in _start (/r/raptor/rapper+0x41b919)

0x604000001f88 is located 8 bytes to the left of 38-byte region [0x604000001f90,0x604000001fb6)
allocated by thread T0 here:
    #0 0x4d1d28 in malloc (/r/raptor/rapper+0x4d1d28)
    #1 0x525745 in raptor_namespace_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_namespace.c:791:12
    #2 0x5cb4ed in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:201:9



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2018-10-03 14:51:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b4cd933be0aa6b6e224415e17a22c9ea4b49a81

commit 2b4cd933be0aa6b6e224415e17a22c9ea4b49a81
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-10-03 14:39:57 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-10-03 14:50:34 +0000

    media-libs/raptor: Fix heap overflows, gtk-doc location, EAPI-7
    
    Bug: https://bugs.gentoo.org/621186
    Closes: https://bugs.gentoo.org/604290
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 .../raptor/files/raptor-2.0.15-heap-overflow.patch | 42 +++++++++++++
 media-libs/raptor/raptor-2.0.15-r1.ebuild          | 71 ++++++++++++++++++++++
 2 files changed, 113 insertions(+)
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-04 23:12:56 UTC 
ia64 stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-05 04:53:19 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2018-10-05 13:43:52 UTC 
amd64 stable
Comment 5 Matt Turner gentoo-dev 2018-10-06 16:15:54 UTC 
ppc/ppc64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-13 06:58:46 UTC 
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2018-10-29 05:37:49 UTC 
arm stable
Comment 8 Larry the Git Cow gentoo-dev 2018-11-04 22:50:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11b393f0419a86a9eaf0d32c89f0e47608180b17

commit 11b393f0419a86a9eaf0d32c89f0e47608180b17
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-04 22:50:29 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-04 22:50:44 +0000

    media-libs/raptor: Security cleanup
    
    Bug: https://bugs.gentoo.org/621186
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/raptor/Manifest             |  1 -
 media-libs/raptor/raptor-2.0.14.ebuild | 65 ----------------------------------
 2 files changed, 66 deletions(-)
Comment 9 Rolf Eike Beer archtester 2018-11-08 23:05:45 UTC 
sparc stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 04:11:17 UTC 
No real data or PoC I can find. Downgrading.  Tree is clean.