diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2020-11-24 10:32:30 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2020-11-24 15:50:06 +0100 |
| commit | c476b36bdab3dc1d2582f841d8044ffc202aae88 (patch) | |
| tree | a68a30a636f0650e54b64f5e9ed2e88beda95429 | |
| parent | fe88ffb661053f8fff9bd77affdf4de820c43ca8 (diff) | |
CVE-2020-25713 raptor2: malformed input file can lead to a segfault
due to an out of bounds array access in
raptor_xml_writer_start_element_common
use a better fix than the initial suggestion
See:
https: //bugs.mageia.org/show_bug.cgi?id=27605
https: //www.openwall.com/lists/oss-security/2020/11/13/1
Change-Id: I9203904755b0e4ac98ae1e39942fd6f616c1efff
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/106488
Reviewed-by: Michael Stahl <michael.stahl@cib.de>
Tested-by: Caolán McNamara <caolanm@redhat.com>
3 files changed, 34 insertions, 15 deletions
diff --git a/external/redland/UnpackedTarball_raptor.mk b/external/redland/UnpackedTarball_raptor.mk index 3a4d7f17a471..c5ff226168d8 100644 --- a/external/redland/UnpackedTarball_raptor.mk +++ b/external/redland/UnpackedTarball_raptor.mk @@ -28,7 +28,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,raptor,\ $(if $(SYSTEM_LIBXML),,external/redland/raptor/rpath.patch) \ external/redland/raptor/xml2-config.patch \ external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1 \ - external/redland/raptor/raptor-fix-oob.patch.1\ + external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1 \ external/redland/raptor/libtool.patch \ external/redland/raptor/libxml-override.patch \ )) diff --git a/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1 b/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1 new file mode 100644 index 000000000000..1fb279df3e4d --- /dev/null +++ b/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1 @@ -0,0 +1,33 @@ +From a549457461874157c8c8e8e8a6e0eec06da4fbd0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com> +Date: Tue, 24 Nov 2020 10:30:20 +0000 +Subject: [PATCH] CVE-2020-25713 raptor2: malformed input file can lead to a + segfault + +due to an out of bounds array access in +raptor_xml_writer_start_element_common + +See: +https://bugs.mageia.org/show_bug.cgi?id=27605 +https://www.openwall.com/lists/oss-security/2020/11/13/1 +https://gerrit.libreoffice.org/c/core/+/106249 +--- + src/raptor_xml_writer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c +index 56993dc3..4426d38c 100644 +--- a/src/raptor_xml_writer.c ++++ b/src/raptor_xml_writer.c +@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, + + /* check it wasn't an earlier declaration too */ + for(j = 0; j < nspace_declarations_count; j++) +- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) { ++ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) { + declare_me = 0; + break; + } +-- +2.28.0 + diff --git a/external/redland/raptor/raptor-fix-oob.patch.1 b/external/redland/raptor/raptor-fix-oob.patch.1 deleted file mode 100644 index 04106dc9a70e..000000000000 --- a/external/redland/raptor/raptor-fix-oob.patch.1 +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c -index 56993dc3..163f34d5 100644 ---- a/src/raptor_xml_writer.c -+++ b/src/raptor_xml_writer.c -@@ -216,6 +216,9 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, - - if(nstack && element->attributes) { - for(i = 0; i < element->attribute_count; i++) { -+ if (nspace_declarations_count > element->attribute_count) -+ goto error; -+ - /* qname */ - if(element->attributes[i]->nspace) { - /* Check if we need a namespace declaration attribute */ |