[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1105957: marked as done (bookworm-pu: package raptor2/2.0.15-4+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1105957,
regarding bookworm-pu: package raptor2/2.0.15-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1105957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105957
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: raptor2@packages.debian.org, carnil@debian.org
Control: affects -1 + src:raptor2
User: release.debian.org@packages.debian.org
Usertags: pu

Hi stable release managers,

[ Reason ]
raptor2 in bookworm is as well affected by CVE-2024-57822 in
CVE-2024-57823 raptor2, an integer overflow in
raptor_uri_normalize_path and a head read buffer overflow in ntriples
bnode.

[ Impact ]
Keeping those two, no-dsa issues, open in bookworm.

[ Tests ]
While I include for consistency the two tests as well in this updates
tests/ folder those tests are not run (and others) back in bookworm. I
did explicitly tests those manually and verified under valgrind that
the issue is fixed.

[ Risks ]
The update is in unstable and trixie without having got regressions
report and the fixes are scoped to those issues. It should be low risk
to get this applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Two patches to fix the underlying issue, and as explained above as
well adding the testcases (though not run).

[ Other info ]
They do not warrant a DSA so it is now perfectly fine to wait until we
get it into 12.12 later. I unfortunately missed the time to finalize
this earlier for bookworm's 12.11 which is sad but is as it is now.

Regards,
Salvatore

diff -Nru raptor2-2.0.15/debian/changelog raptor2-2.0.15/debian/changelog
--- raptor2-2.0.15/debian/changelog	2022-10-03 01:38:55.000000000 +0200
+++ raptor2-2.0.15/debian/changelog	2025-03-29 20:42:36.000000000 +0100
@@ -1,3 +1,13 @@
+raptor2 (2.0.15-4+deb12u1) bookworm; urgency=medium
+
+  * Integer Underflow in raptor_uri_normalize_path() (CVE-2024-57823)
+    (Closes: #1067896)
+  * Heap read buffer overflow in ntriples bnode (CVE-2024-57822)
+    (Closes: #1067896)
+  * Tests for Github issue 70
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 29 Mar 2025 20:42:36 +0100
+
 raptor2 (2.0.15-4) unstable; urgency=medium
 
   * QA upload.
diff -Nru raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
--- raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch	1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch	2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,44 @@
+From: Dave Beckett <dave@dajobe.org>
+Date: Thu, 6 Feb 2025 21:12:37 -0800
+Subject: Fix Github issue 70 A) Integer Underflow in
+ raptor_uri_normalize_path()
+Origin: https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57823
+
+(raptor_uri_normalize_path): Return empty buffer if path gets to 0
+length
+---
+ src/raptor_rfc2396.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c
+index 8cc364f44735..f8ec57986a08 100644
+--- a/src/raptor_rfc2396.c
++++ b/src/raptor_rfc2396.c
+@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
+           *dest++ = *s++;
+         *dest = '\0';
+         path_len -= len;
++        if(path_len <= 0) {
++          *path_buffer = '\0';
++          return 0;
++        }
+ 
+         if(p && p < prev) {
+           /* We know the previous prev path component and we didn't do
+@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
+     /* Remove <component>/.. at the end of the path */
+     *prev = '\0';
+     path_len -= (s-prev);
++    if(path_len <= 0) {
++      *path_buffer = '\0';
++      return 0;
++    }
+   }
+ 
+ 
+-- 
+2.49.0
+
diff -Nru raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
--- raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch	1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch	2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,30 @@
+From: Dave Beckett <dave@dajobe.org>
+Date: Fri, 7 Feb 2025 11:38:34 -0800
+Subject: Fix Github issue 70 B) Heap read buffer overflow in ntriples bnode
+Origin: https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57822
+
+(raptor_ntriples_parse_term_internal): Only allow looking at the last
+character of a bnode ID only if bnode length >0
+---
+ src/raptor_ntriples.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/raptor_ntriples.c b/src/raptor_ntriples.c
+index 3276e790f201..ecc4247c2874 100644
+--- a/src/raptor_ntriples.c
++++ b/src/raptor_ntriples.c
+@@ -212,7 +212,7 @@ raptor_ntriples_parse_term_internal(raptor_world* world,
+             locator->column--;
+             locator->byte--;
+           }
+-          if(term_class == RAPTOR_TERM_CLASS_BNODEID && dest[-1] == '.') {
++          if(term_class == RAPTOR_TERM_CLASS_BNODEID && position > 0 && dest[-1] == '.') {
+             /* If bnode id ended on '.' move back one */
+             dest--;
+ 
+-- 
+2.49.0
+
diff -Nru raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch
--- raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch	1970-01-01 01:00:00.000000000 +0100
+++ raptor2-2.0.15/debian/patches/Tests-for-Github-issue-70.patch	2025-03-29 20:42:36.000000000 +0100
@@ -0,0 +1,195 @@
+From: Dave Beckett <dave@dajobe.org>
+Date: Thu, 6 Feb 2025 21:10:38 -0800
+Subject: Tests for Github issue 70
+Origin: https://github.com/dajobe/raptor/commit/0f9d4f7216fa310b1583b44321c2e6ff27c552de
+Bug: https://github.com/dajobe/raptor/issues/70
+
+Tests for https://github.com/dajobe/raptor/issues/70
+A) Integer Underflow in raptor_uri_normalize_path()
+B) Heap read buffer overflow in raptor_ntriples_parse_term_internal()
+---
+ .gitignore             |  2 +-
+ configure.ac           |  1 +
+ tests/Makefile.am      |  2 +-
+ tests/bugs/.gitignore  |  7 +++++
+ tests/bugs/Makefile.am | 13 +++++++++
+ tests/bugs/issue70a.c  | 58 +++++++++++++++++++++++++++++++++++++++
+ tests/bugs/issue70b.c  | 61 ++++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 142 insertions(+), 2 deletions(-)
+ create mode 100644 tests/bugs/.gitignore
+ create mode 100644 tests/bugs/Makefile.am
+ create mode 100644 tests/bugs/issue70a.c
+ create mode 100644 tests/bugs/issue70b.c
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1338,6 +1338,7 @@ tests/rdfxml/Makefile
+ tests/turtle/Makefile
+ tests/turtle-2013/Makefile
+ tests/trig/Makefile
++tests/bugs/Makefile
+ utils/Makefile
+ librdfa/Makefile
+ raptor2.pc])
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -37,7 +37,7 @@ raptor_empty_test_SOURCES=empty.c
+ # Used to make N-triples output consistent
+ BASE_URI=http://librdf.org/raptor/tests/
+ 
+-SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig grddl rdfa rdfa11 json feeds
++SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig grddl rdfa rdfa11 json feeds bugs
+ 
+ 
+ $(top_builddir)/src/libraptor2.la:
+--- /dev/null
++++ b/tests/bugs/.gitignore
+@@ -0,0 +1,7 @@
++*.o
++.deps
++.libs
++TAGS
++raptor_issue*_test
++raptor_issue*_test.exe
++raptor_issue*_test.trs
+--- /dev/null
++++ b/tests/bugs/Makefile.am
+@@ -0,0 +1,13 @@
++TESTS=raptor_issue70a_test$(EXEEXT) raptor_issue70b_test$(EXEEXT)
++
++AM_CPPFLAGS=-I$(top_srcdir)/src
++AM_CFLAGS= -I$(top_builddir)/src @CFLAGS@ $(MEM)
++AM_LDFLAGS=$(top_builddir)/src/libraptor2.la $(MEM_LIBS)
++
++EXTRA_PROGRAMS=$(TESTS)
++
++CLEANFILES=$(TESTS)
++
++raptor_issue70a_test_SOURCES=issue70a.c
++raptor_issue70b_test_SOURCES=issue70b.c
++
+--- /dev/null
++++ b/tests/bugs/issue70a.c
+@@ -0,0 +1,58 @@
++/* -*- Mode: c; c-basic-offset: 2 -*-
++ *
++ * issue70a.c - Raptor test for GitHub issue 70 first part
++ * Integer Underflow in raptor_uri_normalize_path()
++ *
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <raptor_config.h>
++#endif
++
++#include <string.h>
++
++/* Raptor includes */
++#include "raptor2.h"
++#include "raptor_internal.h"
++
++
++int
++main(int argc, const char** argv)
++{
++  const char *program = raptor_basename(argv[0]);
++  const unsigned char* base_uri=      (const unsigned char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl";
++  const unsigned char* reference_uri= (const unsigned char*)".&/../?D/../../1999/02/22-rdf-syntax-ns#";
++#define BUFFER_LEN 84
++  unsigned char buffer[BUFFER_LEN + 1];
++  size_t buffer_length = BUFFER_LEN + 1;
++  int failures = 0;
++#define EXPECTED_RESULT "http:?D/../../1999/02/22-rdf-syntax-ns#"
++#define EXPECTED_RESULT_LEN 39UL
++  int result;
++  size_t result_len;
++
++  buffer[0] = '\0';
++
++  /* Crash used to happens here if RAPTOR_DEBUG > 3
++   * raptor_rfc2396.c:398:raptor_uri_normalize_path: fatal error: Path length 0 does not match calculated -5.
++   */
++  result = raptor_uri_resolve_uri_reference(base_uri, reference_uri,
++                                            buffer, buffer_length);
++  result_len = strlen((const char*)buffer);
++
++  if(strcmp((const char*)buffer, EXPECTED_RESULT) ||
++     result_len != EXPECTED_RESULT_LEN) {
++    fprintf(stderr, "%s: raptor_uri_resolve_uri_reference() failed with result %d\n", program, result);
++    fprintf(stderr, "%s: Base URI: '%s' (%lu)\n",
++            program, base_uri, strlen((const char*)base_uri));
++    fprintf(stderr, "%s: Ref  URI: '%s' (%lu)\n", reference_uri,
++            program, strlen((const char*)reference_uri));
++    fprintf(stderr, "%s: Result buffer: '%s' (%lu)\n", program,
++            buffer, strlen((const char*)buffer));
++    fprintf(stderr, "%s: Expected: '%s' (%lu)\n", program,
++            EXPECTED_RESULT, EXPECTED_RESULT_LEN);
++    failures++;
++  }
++
++  return failures;
++}
+--- /dev/null
++++ b/tests/bugs/issue70b.c
+@@ -0,0 +1,61 @@
++/* -*- Mode: c; c-basic-offset: 2 -*-
++ *
++ * issue70.c - Raptor test for GitHub issue 70 second part
++ * Heap read buffer overflow in raptor_ntriples_parse_term_internal()
++ *
++ * N-Triples test content: "_:/exaple/o"
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <raptor_config.h>
++#endif
++
++#include <string.h>
++
++/* Raptor includes */
++#include "raptor2.h"
++#include "raptor_internal.h"
++
++
++int
++main(int argc, const char** argv)
++{
++  const char *program = raptor_basename(argv[0]);
++  const unsigned char* ntriples_content = (const unsigned char*)"_:/exaple/o\n";
++#define NTRIPLES_CONTENT_LEN 12
++  const unsigned char* base_uri_string = (const unsigned char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl";
++  int failures = 0;
++  raptor_world* world = NULL;
++  raptor_uri* base_uri = NULL;
++  raptor_parser* parser = NULL;
++  int result;
++
++  world = raptor_new_world();
++  if(!world)
++    goto cleanup;
++  base_uri = raptor_new_uri(world, base_uri_string);
++  if(!base_uri)
++    goto cleanup;
++  parser = raptor_new_parser(world, "ntriples");
++  if(!parser)
++    goto cleanup;
++
++  (void)raptor_parser_parse_start(parser, base_uri);
++  result = raptor_parser_parse_chunk(parser,
++                                     ntriples_content,
++                                     NTRIPLES_CONTENT_LEN, /* is_end */ 1);
++
++  if(result) {
++    fprintf(stderr, "%s: parsing '%s' N-Triples content failed with result %d\n", program, ntriples_content, result);
++    fprintf(stderr, "%s: Base URI: '%s' (%lu)\n",
++            program, base_uri_string, strlen((const char*)base_uri_string));
++    failures++;
++  }
++
++  cleanup:
++  raptor_free_parser(parser);
++  raptor_free_uri(base_uri);
++  raptor_free_world(world);
++
++  return failures;
++}
diff -Nru raptor2-2.0.15/debian/patches/series raptor2-2.0.15/debian/patches/series
--- raptor2-2.0.15/debian/patches/series	2022-09-29 09:30:38.000000000 +0200
+++ raptor2-2.0.15/debian/patches/series	2025-03-29 20:42:36.000000000 +0100
@@ -2,3 +2,6 @@
 CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch
 configure.ac-Allow-use-of-pkg-config-to-detect-the-libxsl.patch
 configure.ac-libxml2.patch
+Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
+Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
+Tests-for-Github-issue-70.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: