--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:raptor2
User: [email protected]
Usertags: pu
Hi stable release managers,
[ Reason ]
raptor2 in bookworm is as well affected by CVE-2024-57822 in
CVE-2024-57823 raptor2, an integer overflow in
raptor_uri_normalize_path and a head read buffer overflow in ntriples
bnode.
[ Impact ]
Keeping those two, no-dsa issues, open in bookworm.
[ Tests ]
While I include for consistency the two tests as well in this updates
tests/ folder those tests are not run (and others) back in bookworm. I
did explicitly tests those manually and verified under valgrind that
the issue is fixed.
[ Risks ]
The update is in unstable and trixie without having got regressions
report and the fixes are scoped to those issues. It should be low risk
to get this applied.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Two patches to fix the underlying issue, and as explained above as
well adding the testcases (though not run).
[ Other info ]
They do not warrant a DSA so it is now perfectly fine to wait until we
get it into 12.12 later. I unfortunately missed the time to finalize
this earlier for bookworm's 12.11 which is sad but is as it is now.
Regards,
Salvatore
diff -Nru raptor2-2.0.15/debian/changelog raptor2-2.0.15/debian/changelog
--- raptor2-2.0.15/debian/changelog 2022-10-03 01:38:55.000000000 +0200
+++ raptor2-2.0.15/debian/changelog 2025-03-29 20:42:36.000000000 +0100
@@ -1,3 +1,13 @@
+raptor2 (2.0.15-4+deb12u1) bookworm; urgency=medium
+
+ * Integer Underflow in raptor_uri_normalize_path() (CVE-2024-57823)
+ (Closes: #1067896)
+ * Heap read buffer overflow in ntriples bnode (CVE-2024-57822)
+ (Closes: #1067896)
+ * Tests for Github issue 70
+
+ -- Salvatore Bonaccorso <[email protected]> Sat, 29 Mar 2025 20:42:36 +0100
+
raptor2 (2.0.15-4) unstable; urgency=medium
* QA upload.
diff -Nru
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
---
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
1970-01-01 01:00:00.000000000 +0100
+++
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,44 @@
+From: Dave Beckett <[email protected]>
+Date: Thu, 6 Feb 2025 21:12:37 -0800
+Subject: Fix Github issue 70 A) Integer Underflow in
+ raptor_uri_normalize_path()
+Origin:
https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57823
+
+(raptor_uri_normalize_path): Return empty buffer if path gets to 0
+length
+---
+ src/raptor_rfc2396.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c
+index 8cc364f44735..f8ec57986a08 100644
+--- a/src/raptor_rfc2396.c
++++ b/src/raptor_rfc2396.c
+@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer,
size_t path_len)
+ *dest++ = *s++;
+ *dest = '\0';
+ path_len -= len;
++ if(path_len <= 0) {
++ *path_buffer = '\0';
++ return 0;
++ }
+
+ if(p && p < prev) {
+ /* We know the previous prev path component and we didn't do
+@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer,
size_t path_len)
+ /* Remove <component>/.. at the end of the path */
+ *prev = '\0';
+ path_len -= (s-prev);
++ if(path_len <= 0) {
++ *path_buffer = '\0';
++ return 0;
++ }
+ }
+
+
+--
+2.49.0
+
diff -Nru
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
---
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
1970-01-01 01:00:00.000000000 +0100
+++
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,30 @@
+From: Dave Beckett <[email protected]>
+Date: Fri, 7 Feb 2025 11:38:34 -0800
+Subject: Fix Github issue 70 B) Heap read buffer overflow in ntriples bnode
+Origin:
https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57822
+
+(raptor_ntriples_parse_term_internal): Only allow looking at the last
+character of a bnode ID only if bnode length >0
+---
+ src/raptor_ntriples.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/raptor_ntriples.c b/src/raptor_ntriples.c
+index 3276e790f201..ecc4247c2874 100644
+--- a/src/raptor_ntriples.c
++++ b/src/raptor_ntriples.c
+@@ -212,7 +212,7 @@ raptor_ntriples_parse_term_internal(raptor_world* world,
+ locator->column--;
+ locator->byte--;
+ }
+- if(term_class == RAPTOR_TERM_CLASS_BNODEID && dest[-1] == '.') {
++ if(term_class == RAPTOR_TERM_CLASS_BNODEID && position > 0 &&
dest[-1] == '.') {
+ /* If bnode id ended on '.' move back one */
+ dest--;
+
+--
+2.49.0
+
diff -Nru raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch
raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch
--- raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch
1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch
2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,195 @@
+From: Dave Beckett <[email protected]>
+Date: Thu, 6 Feb 2025 21:10:38 -0800
+Subject: Tests for Github issue 70
+Origin:
https://github.com/dajobe/raptor/commit/0f9d4f7216fa310b1583b44321c2e6ff27c552de
+Bug: https://github.com/dajobe/raptor/issues/70
+
+Tests for https://github.com/dajobe/raptor/issues/70
+A) Integer Underflow in raptor_uri_normalize_path()
+B) Heap read buffer overflow in raptor_ntriples_parse_term_internal()
+---
+ .gitignore | 2 +-
+ configure.ac | 1 +
+ tests/Makefile.am | 2 +-
+ tests/bugs/.gitignore | 7 +++++
+ tests/bugs/Makefile.am | 13 +++++++++
+ tests/bugs/issue70a.c | 58 +++++++++++++++++++++++++++++++++++++++
+ tests/bugs/issue70b.c | 61 ++++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 142 insertions(+), 2 deletions(-)
+ create mode 100644 tests/bugs/.gitignore
+ create mode 100644 tests/bugs/Makefile.am
+ create mode 100644 tests/bugs/issue70a.c
+ create mode 100644 tests/bugs/issue70b.c
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1338,6 +1338,7 @@ tests/rdfxml/Makefile
+ tests/turtle/Makefile
+ tests/turtle-2013/Makefile
+ tests/trig/Makefile
++tests/bugs/Makefile
+ utils/Makefile
+ librdfa/Makefile
+ raptor2.pc])
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -37,7 +37,7 @@ raptor_empty_test_SOURCES=empty.c
+ # Used to make N-triples output consistent
+ BASE_URI=http://librdf.org/raptor/tests/
+
+-SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig
grddl rdfa rdfa11 json feeds
++SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig
grddl rdfa rdfa11 json feeds bugs
+
+
+ $(top_builddir)/src/libraptor2.la:
+--- /dev/null
++++ b/tests/bugs/.gitignore
+@@ -0,0 +1,7 @@
++*.o
++.deps
++.libs
++TAGS
++raptor_issue*_test
++raptor_issue*_test.exe
++raptor_issue*_test.trs
+--- /dev/null
++++ b/tests/bugs/Makefile.am
+@@ -0,0 +1,13 @@
++TESTS=raptor_issue70a_test$(EXEEXT) raptor_issue70b_test$(EXEEXT)
++
++AM_CPPFLAGS=-I$(top_srcdir)/src
++AM_CFLAGS= -I$(top_builddir)/src @CFLAGS@ $(MEM)
++AM_LDFLAGS=$(top_builddir)/src/libraptor2.la $(MEM_LIBS)
++
++EXTRA_PROGRAMS=$(TESTS)
++
++CLEANFILES=$(TESTS)
++
++raptor_issue70a_test_SOURCES=issue70a.c
++raptor_issue70b_test_SOURCES=issue70b.c
++
+--- /dev/null
++++ b/tests/bugs/issue70a.c
+@@ -0,0 +1,58 @@
++/* -*- Mode: c; c-basic-offset: 2 -*-
++ *
++ * issue70a.c - Raptor test for GitHub issue 70 first part
++ * Integer Underflow in raptor_uri_normalize_path()
++ *
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <raptor_config.h>
++#endif
++
++#include <string.h>
++
++/* Raptor includes */
++#include "raptor2.h"
++#include "raptor_internal.h"
++
++
++int
++main(int argc, const char** argv)
++{
++ const char *program = raptor_basename(argv[0]);
++ const unsigned char* base_uri= (const unsigned
char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl";
++ const unsigned char* reference_uri= (const unsigned
char*)".&/../?D/../../1999/02/22-rdf-syntax-ns#";
++#define BUFFER_LEN 84
++ unsigned char buffer[BUFFER_LEN + 1];
++ size_t buffer_length = BUFFER_LEN + 1;
++ int failures = 0;
++#define EXPECTED_RESULT "http:?D/../../1999/02/22-rdf-syntax-ns#"
++#define EXPECTED_RESULT_LEN 39UL
++ int result;
++ size_t result_len;
++
++ buffer[0] = '\0';
++
++ /* Crash used to happens here if RAPTOR_DEBUG > 3
++ * raptor_rfc2396.c:398:raptor_uri_normalize_path: fatal error: Path length
0 does not match calculated -5.
++ */
++ result = raptor_uri_resolve_uri_reference(base_uri, reference_uri,
++ buffer, buffer_length);
++ result_len = strlen((const char*)buffer);
++
++ if(strcmp((const char*)buffer, EXPECTED_RESULT) ||
++ result_len != EXPECTED_RESULT_LEN) {
++ fprintf(stderr, "%s: raptor_uri_resolve_uri_reference() failed with
result %d\n", program, result);
++ fprintf(stderr, "%s: Base URI: '%s' (%lu)\n",
++ program, base_uri, strlen((const char*)base_uri));
++ fprintf(stderr, "%s: Ref URI: '%s' (%lu)\n", reference_uri,
++ program, strlen((const char*)reference_uri));
++ fprintf(stderr, "%s: Result buffer: '%s' (%lu)\n", program,
++ buffer, strlen((const char*)buffer));
++ fprintf(stderr, "%s: Expected: '%s' (%lu)\n", program,
++ EXPECTED_RESULT, EXPECTED_RESULT_LEN);
++ failures++;
++ }
++
++ return failures;
++}
+--- /dev/null
++++ b/tests/bugs/issue70b.c
+@@ -0,0 +1,61 @@
++/* -*- Mode: c; c-basic-offset: 2 -*-
++ *
++ * issue70.c - Raptor test for GitHub issue 70 second part
++ * Heap read buffer overflow in raptor_ntriples_parse_term_internal()
++ *
++ * N-Triples test content: "_:/exaple/o"
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <raptor_config.h>
++#endif
++
++#include <string.h>
++
++/* Raptor includes */
++#include "raptor2.h"
++#include "raptor_internal.h"
++
++
++int
++main(int argc, const char** argv)
++{
++ const char *program = raptor_basename(argv[0]);
++ const unsigned char* ntriples_content = (const unsigned
char*)"_:/exaple/o\n";
++#define NTRIPLES_CONTENT_LEN 12
++ const unsigned char* base_uri_string = (const unsigned
char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl";
++ int failures = 0;
++ raptor_world* world = NULL;
++ raptor_uri* base_uri = NULL;
++ raptor_parser* parser = NULL;
++ int result;
++
++ world = raptor_new_world();
++ if(!world)
++ goto cleanup;
++ base_uri = raptor_new_uri(world, base_uri_string);
++ if(!base_uri)
++ goto cleanup;
++ parser = raptor_new_parser(world, "ntriples");
++ if(!parser)
++ goto cleanup;
++
++ (void)raptor_parser_parse_start(parser, base_uri);
++ result = raptor_parser_parse_chunk(parser,
++ ntriples_content,
++ NTRIPLES_CONTENT_LEN, /* is_end */ 1);
++
++ if(result) {
++ fprintf(stderr, "%s: parsing '%s' N-Triples content failed with result
%d\n", program, ntriples_content, result);
++ fprintf(stderr, "%s: Base URI: '%s' (%lu)\n",
++ program, base_uri_string, strlen((const char*)base_uri_string));
++ failures++;
++ }
++
++ cleanup:
++ raptor_free_parser(parser);
++ raptor_free_uri(base_uri);
++ raptor_free_world(world);
++
++ return failures;
++}
diff -Nru raptor2-2.0.15/debian/patches/series
raptor2-2.0.15/debian/patches/series
--- raptor2-2.0.15/debian/patches/series 2022-09-29 09:30:38.000000000
+0200
+++ raptor2-2.0.15/debian/patches/series 2025-03-29 20:42:36.000000000
+0100
@@ -2,3 +2,6 @@
CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
configure.ac-Allow-use-of-pkg-config-to-detect-the-libxsl.patch
configure.ac-libxml2.patch
+Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
+Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
+Tests-for-Github-issue-70.patch
--- End Message ---
