Reported in https://www.openwall.com/lists/oss-security/2020/11/13/1. Note that the first bug is bug 621186. "From the bug report: A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common. Bug happens in line 230 of raptor_xml_writer.c (current git): https://github.com/dajobe/raptor/blob/master/src/raptor_xml_writer.c#L230 From looking at that code it seems to me it always expects nspace_declarations_count to be lower than element->attribute_count, however this input seems to create a different situation. I made an attempt at a patch that throws an error in this situation (but please review it, I am not familiar with what this code does and should do - though the patch doesn't seem to introduce test failures). (proposed patch, example file and stacktrace can be found attached to the bugreport)"
We may want to keep an eye on LibreOffice who bundle this upstream?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=302b7d40ecbd4d456c0f39046a9c078c96e672d8 commit 302b7d40ecbd4d456c0f39046a9c078c96e672d8 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-29 07:55:33 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-29 07:55:49 +0000 media-libs/raptor: fixed CVE-2020-25713 Bug: https://bugs.gentoo.org/754264 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> ...713-raptor2-malformed-input-file-can-lead.patch | 32 ++++++++++++++++++++++ ...or-2.0.15-r2.ebuild => raptor-2.0.15-r3.ebuild} | 1 + 2 files changed, 33 insertions(+)
all tests passed. before fix: rapper file.rdf rapper: Parsing URI file:///home/fordfrog/src/gentoo/raptor/file.rdf with parser rdfxml rapper: Serializing with serializer ntriples rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Using node element 'r' without a namespace is forbidden. _:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <#l> . rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Unknown rdf:parseType value '' taken as 'Literal' Neoprávněný přístup do paměti (SIGSEGV) after fix: $ rapper file.rdf rapper: Parsing URI file:///home/fordfrog/src/gentoo/raptor/file.rdf with parser rdfxml rapper: Serializing with serializer ntriples rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Using node element 'r' without a namespace is forbidden. _:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <#l> . rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Unknown rdf:parseType value '' taken as 'Literal' rapper: Error - - XML parser error: Extra content at the end of the document rapper: Failed to parse file file.rdf rdfxml content rapper: Parsing returned 1 triple revbumped and removed old so you can proceed.
Thank you! Sorry for the delay.
GLSA request filed.
Package list is empty or all packages have requested keywords.
