From ${URL} : raptor is a library to parse rdf data. Notably it is used by libreoffice. I reported two heap overflows in april. The bug reports are private http://bugs.librdf.org/mantis/view.php?id=617 http://bugs.librdf.org/mantis/view.php?id=618 Both are fixed by the same commit: https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1 I also informed the libreoffice security team. No new release has been made yet. I'm pasting the content of my bug reports below, poc files attached. ---------------------- Summary 0000617: heap buffer overflow in raptor_qname_format_as_xml Description The attached file will cause a heap buffer overflow in raptor. Can be tested with the rapper command line tool. This is a security bug, so I'm marking this private. Here's a stack trace of the crash (from address sanitizer): ==24627==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000002090 at pc 0x000000529a9c bp 0x7fffc7e52060 sp 0x7fffc7e52058 WRITE of size 8 at 0x604000002090 thread T0 #0 0x529a9b in raptor_qname_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_qname.c:666:15 #1 0x5cb770 in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:242:9 #2 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3 #3 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9 #4 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830 #5 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5 #6 0x7efcbd5decad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad) #7 0x7efcbd5ec323 (/usr/lib64/libxml2.so.2+0x4f323) #8 0x7efcbd5ed3ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba) #9 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10 #10 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8 #11 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10 #12 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554 #13 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8 #14 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8 #15 0x7efcbc4d52b0 in __libc_start_main (/lib64/libc.so.6+0x202b0) #16 0x41b919 in _start (/r/raptor/rapper+0x41b919) ------------------ Summary 0000618: heap buffer overflow in raptor_xml_writer_start_element_common Description The attached file will cause a heap buffer overflow and crash raptor. This was found via fuzzing with the tool american fuzzy lop. This is a security bug, so I'm marking it private. Here's a stack trace (from address sanitizer): ==3322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000001f88 at pc 0x0000005ccdbc bp 0x7ffe62bb8540 sp 0x7ffe62bb8538 WRITE of size 8 at 0x604000001f88 thread T0 #0 0x5ccdbb in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:241:65 #1 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3 #2 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9 #3 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830 #4 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5 #5 0x7f5125ce9cad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad) #6 0x7f5125cf7323 (/usr/lib64/libxml2.so.2+0x4f323) #7 0x7f5125cf83ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba) #8 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10 #9 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8 #10 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10 #11 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554 #12 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8 #13 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8 #14 0x7f5124be02b0 in __libc_start_main (/lib64/libc.so.6+0x202b0) #15 0x41b919 in _start (/r/raptor/rapper+0x41b919) 0x604000001f88 is located 8 bytes to the left of 38-byte region [0x604000001f90,0x604000001fb6) allocated by thread T0 here: #0 0x4d1d28 in malloc (/r/raptor/rapper+0x4d1d28) #1 0x525745 in raptor_namespace_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_namespace.c:791:12 #2 0x5cb4ed in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:201:9 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b4cd933be0aa6b6e224415e17a22c9ea4b49a81 commit 2b4cd933be0aa6b6e224415e17a22c9ea4b49a81 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-10-03 14:39:57 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-10-03 14:50:34 +0000 media-libs/raptor: Fix heap overflows, gtk-doc location, EAPI-7 Bug: https://bugs.gentoo.org/621186 Closes: https://bugs.gentoo.org/604290 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> Package-Manager: Portage-2.3.50, Repoman-2.3.11 .../raptor/files/raptor-2.0.15-heap-overflow.patch | 42 +++++++++++++ media-libs/raptor/raptor-2.0.15-r1.ebuild | 71 ++++++++++++++++++++++ 2 files changed, 113 insertions(+)
ia64 stable
x86 stable
amd64 stable
ppc/ppc64 stable
Stable on alpha.
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11b393f0419a86a9eaf0d32c89f0e47608180b17 commit 11b393f0419a86a9eaf0d32c89f0e47608180b17 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-11-04 22:50:29 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-11-04 22:50:44 +0000 media-libs/raptor: Security cleanup Bug: https://bugs.gentoo.org/621186 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/raptor/Manifest | 1 - media-libs/raptor/raptor-2.0.14.ebuild | 65 ---------------------------------- 2 files changed, 66 deletions(-)
sparc stable
No real data or PoC I can find. Downgrading. Tree is clean.