From secunia security advisory at $URL:
The vulnerability is caused due to an error when processing XML external entities in certain XML components within an RDF document. This can be exploited to disclose the contents of arbitrary files within an RDF document by specially crafted XML entities.
The vulnerability is reported in versions prior to 2.0.7.
Update to version 2.0.7.
2.0.7 in Portage now but it's more than security fix. Upstream removed support for libexpat in favour of libxml2. Upstream removed internal unicode support in favour of external ICU libraries. So be careful when testing and test reverse dependencies too!
Test & stabilize:
=media-libs/raptor-2.0.7 "amd64 arm hppa ppc ppc64 x86"
Stable for HPPA.
hmmm I wonder
archtester raptor # scanelf -n /usr/lib64/libraptor2.so
TYPE NEEDED FILE
ET_DYN libcurl.so.4,libldap-2.4.so.2,librt.so.1,libssl.so.1.0.0,libcrypto.so.1.0.0,libicuuc.so.48,libxslt.so.1,libxml2.so.2,libz.so.1,libm.so.6,libyajl.so.1,libc.so.6 /usr/lib64/libraptor2.so
libcrypto && libz again. I think it was decided zlib was in system.
archtester raptor # qfile libcrypto.so.1.0.0
ok net-misc/curl pulls in openssl
archtester raptor # ebuild raptor-2.0.7.ebuild clean test
>>> Source compiled.
>>> Test phase [none]: media-libs/raptor-2.0.7
amd64 all ok
x86 stable, thanks.
- ppc/ppc64 stable, all arches done
- removed USE=rss from net-irc/eiwic in order to remove SLOT=0 of media-libs/raptor, not sure if this was vulnerable or not
security, please vote.
GLSA Vote: no.
GLSA vote: no.