Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 754264 (CVE-2020-25713) - <media-libs/raptor-2.0.15-r3: heap overflow (CVE-2020-25713)
Summary: <media-libs/raptor-2.0.15-r3: heap overflow (CVE-2020-25713)
Status: IN_PROGRESS
Alias: CVE-2020-25713
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.librdf.org/mantis/view.p...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-13 14:40 UTC by Sam James
Modified: 2021-07-29 18:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-13 14:40:39 UTC
Reported in https://www.openwall.com/lists/oss-security/2020/11/13/1.

Note that the first bug is bug 621186.

"From the bug report:

A malformed input file can lead to a segfault due to an out of bounds
array access in raptor_xml_writer_start_element_common.

Bug happens in line 230 of raptor_xml_writer.c (current git):
https://github.com/dajobe/raptor/blob/master/src/raptor_xml_writer.c#L230

From looking at that code it seems to me it always expects
nspace_declarations_count to be lower than element->attribute_count,
however this input seems to create a different situation. I made an
attempt at a patch that throws an error in this situation (but please
review it, I am not familiar with what this code does and should do -
though the patch doesn't seem to introduce test failures).

(proposed patch, example file and stacktrace can be found attached to
the bugreport)"
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 17:44:44 UTC
We may want to keep an eye on LibreOffice who bundle this upstream?
Comment 2 Larry the Git Cow gentoo-dev 2021-04-29 07:55:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=302b7d40ecbd4d456c0f39046a9c078c96e672d8

commit 302b7d40ecbd4d456c0f39046a9c078c96e672d8
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-29 07:55:33 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-29 07:55:49 +0000

    media-libs/raptor: fixed CVE-2020-25713
    
    Bug: https://bugs.gentoo.org/754264
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 ...713-raptor2-malformed-input-file-can-lead.patch | 32 ++++++++++++++++++++++
 ...or-2.0.15-r2.ebuild => raptor-2.0.15-r3.ebuild} |  1 +
 2 files changed, 33 insertions(+)
Comment 3 Miroslav Šulc gentoo-dev 2021-04-29 07:57:24 UTC
all tests passed.

before fix:
 rapper file.rdf 
rapper: Parsing URI file:///home/fordfrog/src/gentoo/raptor/file.rdf with parser rdfxml
rapper: Serializing with serializer ntriples
rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Using node element 'r' without a namespace is forbidden.
_:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <#l> .
rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Unknown rdf:parseType value '' taken as 'Literal'
Neoprávněný přístup do paměti (SIGSEGV)

after fix:
$ rapper file.rdf 
rapper: Parsing URI file:///home/fordfrog/src/gentoo/raptor/file.rdf with parser rdfxml
rapper: Serializing with serializer ntriples
rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Using node element 'r' without a namespace is forbidden.
_:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <#l> .
rapper: Warning - URI file:///home/fordfrog/src/gentoo/raptor/file.rdf:2 - Unknown rdf:parseType value '' taken as 'Literal'
rapper: Error -  - XML parser error: Extra content at the end of the document
rapper: Failed to parse file file.rdf rdfxml content
rapper: Parsing returned 1 triple


revbumped and removed old so you can proceed.
Comment 4 John Helmert III gentoo-dev Security 2021-05-12 02:18:28 UTC
Thank you! Sorry for the delay.
Comment 5 John Helmert III gentoo-dev Security 2021-07-25 02:23:57 UTC
GLSA request filed.
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:25:24 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:33:57 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:41:50 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:49:59 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:05:53 UTC
Package list is empty or all packages have requested keywords.