[Libreoffice-commits] core.git: external/redland

Caolán McNamara (via logerrit) Tue, 24 Nov 2020 06:50:50 -0800

 external/redland/UnpackedTarball_raptor.mk                                     
           |    2 
 
external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
 |   33 ++++++++++
 external/redland/raptor/raptor-fix-oob.patch.1                                 
           |   14 ----
 3 files changed, 34 insertions(+), 15 deletions(-)


New commits:
commit c476b36bdab3dc1d2582f841d8044ffc202aae88
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Nov 24 10:32:30 2020 +0000
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Tue Nov 24 15:50:06 2020 +0100

    CVE-2020-25713 raptor2: malformed input file can lead to a segfault
    
    due to an out of bounds array access in
    raptor_xml_writer_start_element_common
    
    use a better fix than the initial suggestion
    
    See:
    https: //bugs.mageia.org/show_bug.cgi?id=27605
    https: //www.openwall.com/lists/oss-security/2020/11/13/1
    Change-Id: I9203904755b0e4ac98ae1e39942fd6f616c1efff
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/106488
    Reviewed-by: Michael Stahl <michael.st...@cib.de>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/external/redland/UnpackedTarball_raptor.mk 
b/external/redland/UnpackedTarball_raptor.mk
index 3a4d7f17a471..c5ff226168d8 100644
--- a/external/redland/UnpackedTarball_raptor.mk
+++ b/external/redland/UnpackedTarball_raptor.mk
@@ -28,7 +28,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,raptor,\
        $(if $(SYSTEM_LIBXML),,external/redland/raptor/rpath.patch) \
        external/redland/raptor/xml2-config.patch \
        
external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1
 \
-       external/redland/raptor/raptor-fix-oob.patch.1\
+       
external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
 \
        external/redland/raptor/libtool.patch \
        external/redland/raptor/libxml-override.patch \
 ))
diff --git 
a/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
 
b/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
new file mode 100644
index 000000000000..1fb279df3e4d
--- /dev/null
+++ 
b/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
@@ -0,0 +1,33 @@
+From a549457461874157c8c8e8e8a6e0eec06da4fbd0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caol...@redhat.com>
+Date: Tue, 24 Nov 2020 10:30:20 +0000
+Subject: [PATCH] CVE-2020-25713 raptor2: malformed input file can lead to a
+ segfault
+
+due to an out of bounds array access in
+raptor_xml_writer_start_element_common
+
+See:
+https://bugs.mageia.org/show_bug.cgi?id=27605
+https://www.openwall.com/lists/oss-security/2020/11/13/1
+https://gerrit.libreoffice.org/c/core/+/106249
+---
+ src/raptor_xml_writer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
+index 56993dc3..4426d38c 100644
+--- a/src/raptor_xml_writer.c
++++ b/src/raptor_xml_writer.c
+@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* 
xml_writer,
+           
+           /* check it wasn't an earlier declaration too */
+           for(j = 0; j < nspace_declarations_count; j++)
+-            if(nspace_declarations[j].nspace == 
element->attributes[j]->nspace) {
++            if(nspace_declarations[j].nspace == 
element->attributes[i]->nspace) {
+               declare_me = 0;
+               break;
+             }
+-- 
+2.28.0
+
diff --git a/external/redland/raptor/raptor-fix-oob.patch.1 
b/external/redland/raptor/raptor-fix-oob.patch.1
deleted file mode 100644
index 04106dc9a70e..000000000000
--- a/external/redland/raptor/raptor-fix-oob.patch.1
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 56993dc3..163f34d5 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -216,6 +216,9 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* 
xml_writer,
- 
-   if(nstack && element->attributes) {
-     for(i = 0; i < element->attribute_count; i++) {
-+      if (nspace_declarations_count > element->attribute_count)
-+        goto error;
-+
-       /* qname */
-       if(element->attributes[i]->nspace) {
-         /* Check if we need a namespace declaration attribute */
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: external/redland

Reply via email to