Bug#1105957: bookworm-pu: package raptor2/2.0.15-4+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1105957: bookworm-pu: package raptor2/2.0.15-4+deb12u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 17 May 2025 21:38:21 +0200
Message-id: <[🔎] 174751070140.200127.757220243821375948.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1105957@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: raptor2@packages.debian.org, carnil@debian.org
Control: affects -1 + src:raptor2
User: release.debian.org@packages.debian.org
Usertags: pu

Hi stable release managers,

[ Reason ]
raptor2 in bookworm is as well affected by CVE-2024-57822 in
CVE-2024-57823 raptor2, an integer overflow in
raptor_uri_normalize_path and a head read buffer overflow in ntriples
bnode.

[ Impact ]
Keeping those two, no-dsa issues, open in bookworm.

[ Tests ]
While I include for consistency the two tests as well in this updates
tests/ folder those tests are not run (and others) back in bookworm. I
did explicitly tests those manually and verified under valgrind that
the issue is fixed.

[ Risks ]
The update is in unstable and trixie without having got regressions
report and the fixes are scoped to those issues. It should be low risk
to get this applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Two patches to fix the underlying issue, and as explained above as
well adding the testcases (though not run).

[ Other info ]
They do not warrant a DSA so it is now perfectly fine to wait until we
get it into 12.12 later. I unfortunately missed the time to finalize
this earlier for bookworm's 12.11 which is sad but is as it is now.

Regards,
Salvatore

diff -Nru raptor2-2.0.15/debian/changelog raptor2-2.0.15/debian/changelog
--- raptor2-2.0.15/debian/changelog	2022-10-03 01:38:55.000000000 +0200
+++ raptor2-2.0.15/debian/changelog	2025-03-29 20:42:36.000000000 +0100
@@ -1,3 +1,13 @@
+raptor2 (2.0.15-4+deb12u1) bookworm; urgency=medium
+
+  * Integer Underflow in raptor_uri_normalize_path() (CVE-2024-57823)
+    (Closes: #1067896)
+  * Heap read buffer overflow in ntriples bnode (CVE-2024-57822)
+    (Closes: #1067896)
+  * Tests for Github issue 70
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 29 Mar 2025 20:42:36 +0100
+
 raptor2 (2.0.15-4) unstable; urgency=medium
 
   * QA upload.
diff -Nru raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
--- raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch	1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch	2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,44 @@
+From: Dave Beckett <dave@dajobe.org>
+Date: Thu, 6 Feb 2025 21:12:37 -0800
+Subject: Fix Github issue 70 A) Integer Underflow in
+ raptor_uri_normalize_path()
+Origin: https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57823
+
+(raptor_uri_normalize_path): Return empty buffer if path gets to 0
+length
+---
+ src/raptor_rfc2396.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c
+index 8cc364f44735..f8ec57986a08 100644
+--- a/src/raptor_rfc2396.c
++++ b/src/raptor_rfc2396.c
+@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
+           *dest++ = *s++;
+         *dest = '\0';
+         path_len -= len;
++        if(path_len <= 0) {
++          *path_buffer = '\0';
++          return 0;
++        }
+ 
+         if(p && p < prev) {
+           /* We know the previous prev path component and we didn't do
+@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
+     /* Remove <component>/.. at the end of the path */
+     *prev = '\0';
+     path_len -= (s-prev);
++    if(path_len <= 0) {
++      *path_buffer = '\0';
++      return 0;
++    }
+   }
+ 
+ 
+-- 
+2.49.0
+
diff -Nru raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
--- raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch	1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch	2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,30 @@
+From: Dave Beckett <dave@dajobe.org>
+Date: Fri, 7 Feb 2025 11:38:34 -0800
+Subject: Fix Github issue 70 B) Heap read buffer overflow in ntriples bnode
+Origin: https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57822
+
+(raptor_ntriples_parse_term_internal): Only allow looking at the last
+character of a bnode ID only if bnode length >0
+---
+ src/raptor_ntriples.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/raptor_ntriples.c b/src/raptor_ntriples.c
+index 3276e790f201..ecc4247c2874 100644
+--- a/src/raptor_ntriples.c
++++ b/src/raptor_ntriples.c
+@@ -212,7 +212,7 @@ raptor_ntriples_parse_term_internal(raptor_world* world,
+             locator->column--;
+             locator->byte--;
+           }
+-          if(term_class == RAPTOR_TERM_CLASS_BNODEID && dest[-1] == '.') {
++          if(term_class == RAPTOR_TERM_CLASS_BNODEID && position > 0 && dest[-1] == '.') {
+             /* If bnode id ended on '.' move back one */
+             dest--;
+ 
+-- 
+2.49.0
+
diff -Nru raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch
--- raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch	1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch	2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,195 @@
+From: Dave Beckett <dave@dajobe.org>
+Date: Thu, 6 Feb 2025 21:10:38 -0800
+Subject: Tests for Github issue 70
+Origin: https://github.com/dajobe/raptor/commit/0f9d4f7216fa310b1583b44321c2e6ff27c552de
+Bug: https://github.com/dajobe/raptor/issues/70
+
+Tests for https://github.com/dajobe/raptor/issues/70
+A) Integer Underflow in raptor_uri_normalize_path()
+B) Heap read buffer overflow in raptor_ntriples_parse_term_internal()
+---
+ .gitignore             |  2 +-
+ configure.ac           |  1 +
+ tests/Makefile.am      |  2 +-
+ tests/bugs/.gitignore  |  7 +++++
+ tests/bugs/Makefile.am | 13 +++++++++
+ tests/bugs/issue70a.c  | 58 +++++++++++++++++++++++++++++++++++++++
+ tests/bugs/issue70b.c  | 61 ++++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 142 insertions(+), 2 deletions(-)
+ create mode 100644 tests/bugs/.gitignore
+ create mode 100644 tests/bugs/Makefile.am
+ create mode 100644 tests/bugs/issue70a.c
+ create mode 100644 tests/bugs/issue70b.c
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1338,6 +1338,7 @@ tests/rdfxml/Makefile
+ tests/turtle/Makefile
+ tests/turtle-2013/Makefile
+ tests/trig/Makefile
++tests/bugs/Makefile
+ utils/Makefile
+ librdfa/Makefile
+ raptor2.pc])
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -37,7 +37,7 @@ raptor_empty_test_SOURCES=empty.c
+ # Used to make N-triples output consistent
+ BASE_URI=http://librdf.org/raptor/tests/
+ 
+-SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig grddl rdfa rdfa11 json feeds
++SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig grddl rdfa rdfa11 json feeds bugs
+ 
+ 
+ $(top_builddir)/src/libraptor2.la:
+--- /dev/null
++++ b/tests/bugs/.gitignore
+@@ -0,0 +1,7 @@
++*.o
++.deps
++.libs
++TAGS
++raptor_issue*_test
++raptor_issue*_test.exe
++raptor_issue*_test.trs
+--- /dev/null
++++ b/tests/bugs/Makefile.am
+@@ -0,0 +1,13 @@
++TESTS=raptor_issue70a_test$(EXEEXT) raptor_issue70b_test$(EXEEXT)
++
++AM_CPPFLAGS=-I$(top_srcdir)/src
++AM_CFLAGS= -I$(top_builddir)/src @CFLAGS@ $(MEM)
++AM_LDFLAGS=$(top_builddir)/src/libraptor2.la $(MEM_LIBS)
++
++EXTRA_PROGRAMS=$(TESTS)
++
++CLEANFILES=$(TESTS)
++
++raptor_issue70a_test_SOURCES=issue70a.c
++raptor_issue70b_test_SOURCES=issue70b.c
++
+--- /dev/null
++++ b/tests/bugs/issue70a.c
+@@ -0,0 +1,58 @@
++/* -*- Mode: c; c-basic-offset: 2 -*-
++ *
++ * issue70a.c - Raptor test for GitHub issue 70 first part
++ * Integer Underflow in raptor_uri_normalize_path()
++ *
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <raptor_config.h>
++#endif
++
++#include <string.h>
++
++/* Raptor includes */
++#include "raptor2.h"
++#include "raptor_internal.h"
++
++
++int
++main(int argc, const char** argv)
++{
++  const char *program = raptor_basename(argv[0]);
++  const unsigned char* base_uri=      (const unsigned char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl";
++  const unsigned char* reference_uri= (const unsigned char*)".&/../?D/../../1999/02/22-rdf-syntax-ns#";
++#define BUFFER_LEN 84
++  unsigned char buffer[BUFFER_LEN + 1];
++  size_t buffer_length = BUFFER_LEN + 1;
++  int failures = 0;
++#define EXPECTED_RESULT "http:?D/../../1999/02/22-rdf-syntax-ns#"
++#define EXPECTED_RESULT_LEN 39UL
++  int result;
++  size_t result_len;
++
++  buffer[0] = '\0';
++
++  /* Crash used to happens here if RAPTOR_DEBUG > 3
++   * raptor_rfc2396.c:398:raptor_uri_normalize_path: fatal error: Path length 0 does not match calculated -5.
++   */
++  result = raptor_uri_resolve_uri_reference(base_uri, reference_uri,
++                                            buffer, buffer_length);
++  result_len = strlen((const char*)buffer);
++
++  if(strcmp((const char*)buffer, EXPECTED_RESULT) ||
++     result_len != EXPECTED_RESULT_LEN) {
++    fprintf(stderr, "%s: raptor_uri_resolve_uri_reference() failed with result %d\n", program, result);
++    fprintf(stderr, "%s: Base URI: '%s' (%lu)\n",
++            program, base_uri, strlen((const char*)base_uri));
++    fprintf(stderr, "%s: Ref  URI: '%s' (%lu)\n", reference_uri,
++            program, strlen((const char*)reference_uri));
++    fprintf(stderr, "%s: Result buffer: '%s' (%lu)\n", program,
++            buffer, strlen((const char*)buffer));
++    fprintf(stderr, "%s: Expected: '%s' (%lu)\n", program,
++            EXPECTED_RESULT, EXPECTED_RESULT_LEN);
++    failures++;
++  }
++
++  return failures;
++}
+--- /dev/null
++++ b/tests/bugs/issue70b.c
+@@ -0,0 +1,61 @@
++/* -*- Mode: c; c-basic-offset: 2 -*-
++ *
++ * issue70.c - Raptor test for GitHub issue 70 second part
++ * Heap read buffer overflow in raptor_ntriples_parse_term_internal()
++ *
++ * N-Triples test content: "_:/exaple/o"
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <raptor_config.h>
++#endif
++
++#include <string.h>
++
++/* Raptor includes */
++#include "raptor2.h"
++#include "raptor_internal.h"
++
++
++int
++main(int argc, const char** argv)
++{
++  const char *program = raptor_basename(argv[0]);
++  const unsigned char* ntriples_content = (const unsigned char*)"_:/exaple/o\n";
++#define NTRIPLES_CONTENT_LEN 12
++  const unsigned char* base_uri_string = (const unsigned char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl";
++  int failures = 0;
++  raptor_world* world = NULL;
++  raptor_uri* base_uri = NULL;
++  raptor_parser* parser = NULL;
++  int result;
++
++  world = raptor_new_world();
++  if(!world)
++    goto cleanup;
++  base_uri = raptor_new_uri(world, base_uri_string);
++  if(!base_uri)
++    goto cleanup;
++  parser = raptor_new_parser(world, "ntriples");
++  if(!parser)
++    goto cleanup;
++
++  (void)raptor_parser_parse_start(parser, base_uri);
++  result = raptor_parser_parse_chunk(parser,
++                                     ntriples_content,
++                                     NTRIPLES_CONTENT_LEN, /* is_end */ 1);
++
++  if(result) {
++    fprintf(stderr, "%s: parsing '%s' N-Triples content failed with result %d\n", program, ntriples_content, result);
++    fprintf(stderr, "%s: Base URI: '%s' (%lu)\n",
++            program, base_uri_string, strlen((const char*)base_uri_string));
++    failures++;
++  }
++
++  cleanup:
++  raptor_free_parser(parser);
++  raptor_free_uri(base_uri);
++  raptor_free_world(world);
++
++  return failures;
++}
diff -Nru raptor2-2.0.15/debian/patches/series raptor2-2.0.15/debian/patches/series
--- raptor2-2.0.15/debian/patches/series	2022-09-29 09:30:38.000000000 +0200
+++ raptor2-2.0.15/debian/patches/series	2025-03-29 20:42:36.000000000 +0100
@@ -2,3 +2,6 @@
 CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
 configure.ac-Allow-use-of-pkg-config-to-detect-the-libxsl.patch
 configure.ac-libxml2.patch
+Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
+Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
+Tests-for-Github-issue-70.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package raptor2/2.0.15-4+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1105957: raptor2 2.0.15-4+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package raptor2/2.0.15-4+deb12u1
Next by Date: Bug#1100698: marked as done (transition: dovecot)
Previous by thread: Bug#1105955: marked as done (unblock: grandorgue/3.15.4-2)
Next by thread: Processed: bookworm-pu: package raptor2/2.0.15-4+deb12u1
Index(es):
- Date
- Thread