Bug#1101473: marked as done (CVE-2024-57823 fix and test in raptor2)

To: Salvatore Bonaccorso <carnil@debian.org>

Subject: Bug#1101473: marked as done (CVE-2024-57823 fix and test in raptor2)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Sat, 29 Mar 2025 15:15:02 +0000

Message-id: <[🔎] handler.1101473.D1067896.17432610753340160.ackdone@bugs.debian.org>

References: <E1tyXq3-006Sv7-Ht@fasolo.debian.org> <DS7PR11MB606189C6762905594BF6DDBDD1A02@DS7PR11MB6061.namprd11.prod.outlook.com>

Your message dated Sat, 29 Mar 2025 15:11:11 +0000 with message-id <E1tyXq3-006Sv7-Ht@fasolo.debian.org> and subject line Bug#1067896: fixed in raptor2 2.0.16-6 has caused the Debian Bug report #1067896, regarding CVE-2024-57823 fix and test in raptor2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1067896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067896 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: CVE-2024-57823 fix and test in raptor2
From: "Fu, Rong (CN)" <Rong.Fu.CN@windriver.com>
Date: Fri, 28 Mar 2025 06:37:24 +0000
Message-id: <DS7PR11MB606189C6762905594BF6DDBDD1A02@DS7PR11MB6061.namprd11.prod.outlook.com>

Package: raptor-utils

Version: 2.0.15-4

Severity: critical

CVE-2024-57823:there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path().

Upstream Fix

https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44

Reference:

https://security-tracker.debian.org/tracker/CVE-2024-57823

https://nvd.nist.gov/vuln/detail/CVE-2024-57823

Test Procedures

1. set sourcelist

cat /etc/apt/sources.list

deb http://deb.debian.org/debian bookworm main

deb-src http://deb.debian.org/debian bookworm main

2. "apt-get source raptor2" to get source code “raptor2-2.0.15”

3. copy the Tests-for-Github-issue-70.patch to debian/patch and update the series, then "quilt push -a"

4. run the testcase, the test case raptor_issue70a_test failed as expected.

"./autogen.sh", and then "make && make test"

make[4]: Entering directory '/home/raptor_cve/raptor2-2.0.15-build/tests/bugs'

CC issue70a.o

CCLD raptor_issue70a_test

../../build/test-driver: line 112: 3282723 Segmentation fault "$@" >> "$log_file" 2>&1

FAIL: raptor_issue70a_test

CC issue70b.o

CCLD raptor_issue70b_test

PASS: raptor_issue70b_test

============================================================================

Testsuite summary for Raptor RDF Parser and Serializer library 2.0.15

============================================================================

# TOTAL: 2

# PASS: 1

# SKIP: 0

# XFAIL: 0

# FAIL: 1

# XPASS: 0

# ERROR: 0

5. copy the CVE-2024-57823-Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch to debian/patch and update the series,

then "quilt push debian/patches/CVE-2024-57823-Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch"

the test case raptor_issue70a_test pass as expected.

make[4]: Entering directory '/home/raptor_cve/raptor2-2.0.15-build/tests/bugs'

CC issue70a.o

CCLD raptor_issue70a_test

PASS: raptor_issue70a_test

CC issue70b.o

CCLD raptor_issue70b_test

PASS: raptor_issue70b_test

============================================================================

Testsuite summary for Raptor RDF Parser and Serializer library 2.0.15

============================================================================

# TOTAL: 2

# PASS: 2

# SKIP: 0

# XFAIL: 0

# FAIL: 0

# XPASS: 0

# ERROR: 0

Thanks,

RongFu

Attachment: Tests-for-Github-issue-70.patch
Description: Tests-for-Github-issue-70.patch

Attachment: CVE-2024-57823-Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
Description: CVE-2024-57823-Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch

--- End Message ---

--- Begin Message ---

To: 1067896-close@bugs.debian.org
Subject: Bug#1067896: fixed in raptor2 2.0.16-6
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 29 Mar 2025 15:11:11 +0000
Message-id: <E1tyXq3-006Sv7-Ht@fasolo.debian.org>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: raptor2
Source-Version: 2.0.16-6
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
raptor2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1067896@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated raptor2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 29 Mar 2025 15:33:08 +0100
Source: raptor2
Architecture: source
Version: 2.0.16-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1067896
Changes:
 raptor2 (2.0.16-6) unstable; urgency=medium
 .
   * QA upload.
   * Integer Underflow in raptor_uri_normalize_path() (CVE-2024-57823)
     (Closes: #1067896)
   * Heap read buffer overflow in ntriples bnode (CVE-2024-57822)
     (Closes: #1067896)
   * Tests for Github issue 70
Checksums-Sha1: 
 5c0f44d1fc8e498645d16a50d4221d0f4006db6f 2314 raptor2_2.0.16-6.dsc
 4edbf0a9455bf8167fff0ac8762483a6df582156 25184 raptor2_2.0.16-6.debian.tar.xz
Checksums-Sha256: 
 7a3ce85ae6af1f6455c07341f4b8fbdeae29423c13327516c4856244c19f54b0 2314 raptor2_2.0.16-6.dsc
 589162e22b9f6facf28be0e0c1eecce4e7a64f9c360f719d64b3ac0f3d09a1dd 25184 raptor2_2.0.16-6.debian.tar.xz
Files: 
 e0027cb20c78b4409d6144c79d852cad 2314 devel optional raptor2_2.0.16-6.dsc
 9e95a059456d9bdfc38626837c1764ef 25184 devel optional raptor2_2.0.16-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmfoBa5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EQhUP/2bRFyBfyo0mOcG/oUHZUcKbszGw8eMN
8x9RYke7z1hKcFHJRwHPubYdaeQucO/6jCJLoG3VsRRId3k42xQkgUDXrDv8IA04
2x+PXjgpgOA4zyaLWhD0dDym4Pz9vIHULrktE/0FbI9sldaFCWSHEoXktfc5QGNX
o9WRZL4v+LQIhY05RzN09uCY5/fwNbSN7HftGW/Wq4rr9SiB7yy/b4EkaqD3/9i9
2zrIetj2WszNNfWInoS8hEvBKpPRY8ThLPuE2+woZVbkWYhQxNXMlYoS172Hj46Q
PyRB2w8c1EWJ/TYePaSGVAuxOmfOeMHlU3jjCskiIcdASDggYiQQFpBjjJXPTdvW
MZS0Y982bvFkSCNjQUi/xjVqkWONpxw9I9H86KxegxquY5uJt/+RuGi660lMrGM+
zFX/fsKXL2/t4lJvLRGaJ0z+COaqnen1gr79kYjDENUd9wkMkj9jmS55fsal14lA
1YdTH5/l+LEoZd/isUKam5YYuOFZZQ6URSVyq/tTQzD7lfHZFPZaxuAkjE45Pd8o
cVS2S2nvVjWDg5lx9ePOnEKLRdxL1lGjdRUha7MlrKWkG2PNURfHu9t0L2pbnI+F
tKctZMRq9hy6j9IHUIlVW4TM1dLI48XC+kw8DekD5zqApbO1YVwlEVKLQ1GQvzEt
qHgjuXdA327W
=xb1P
-----END PGP SIGNATURE-----

Attachment: pgpg8QHVOAVZN.pgp
Description: PGP signature

--- End Message ---

Reply to: