From 21ef3d1a22872ac86027d6049bb7358c1e98ca0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E6=A2=81=E9=B9=8F=E5=A0=83?= Date: Thu, 17 Apr 2025 13:35:06 +0000 Subject: [PATCH] fix CVE-2024-57823 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 张梁鹏堃 --- backport-0001-CVE-2024-57823.patch | 36 +++++ backport-0002-CVE-2024-57823.patch | 211 +++++++++++++++++++++++++++++ raptor2.spec | 7 +- 3 files changed, 253 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2024-57823.patch create mode 100644 backport-0002-CVE-2024-57823.patch diff --git a/backport-0001-CVE-2024-57823.patch b/backport-0001-CVE-2024-57823.patch new file mode 100644 index 0000000..710dfca --- /dev/null +++ b/backport-0001-CVE-2024-57823.patch @@ -0,0 +1,36 @@ +From da7a79976bd0314c23cce55d22495e7d29301c44 Mon Sep 17 00:00:00 2001 +From: Dave Beckett +Date: Thu, 6 Feb 2025 21:12:37 -0800 +Subject: [PATCH] Fix Github issue 70 A) Integer Underflow in + raptor_uri_normalize_path() + +(raptor_uri_normalize_path): Return empty buffer if path gets to 0 +length +--- + src/raptor_rfc2396.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c +index 8cc364f4..f8ec5798 100644 +--- a/src/raptor_rfc2396.c ++++ b/src/raptor_rfc2396.c +@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len) + *dest++ = *s++; + *dest = '\0'; + path_len -= len; ++ if(path_len <= 0) { ++ *path_buffer = '\0'; ++ return 0; ++ } + + if(p && p < prev) { + /* We know the previous prev path component and we didn't do +@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len) + /* Remove /.. at the end of the path */ + *prev = '\0'; + path_len -= (s-prev); ++ if(path_len <= 0) { ++ *path_buffer = '\0'; ++ return 0; ++ } + } \ No newline at end of file diff --git a/backport-0002-CVE-2024-57823.patch b/backport-0002-CVE-2024-57823.patch new file mode 100644 index 0000000..6f18ad0 --- /dev/null +++ b/backport-0002-CVE-2024-57823.patch @@ -0,0 +1,211 @@ +From 0f9d4f7216fa310b1583b44321c2e6ff27c552de Mon Sep 17 00:00:00 2001 +From: Dave Beckett +Date: Thu, 6 Feb 2025 21:10:38 -0800 +Subject: [PATCH] Tests for Github issue 70 + +Tests for https://github.com/dajobe/raptor/issues/70 +A) Integer Underflow in raptor_uri_normalize_path() +B) Heap read buffer overflow in raptor_ntriples_parse_term_internal() +--- + configure.ac | 1 + + tests/Makefile.am | 2 +- + tests/bugs/.gitignore | 7 +++++ + tests/bugs/Makefile.am | 13 +++++++++ + tests/bugs/issue70a.c | 58 +++++++++++++++++++++++++++++++++++++++ + tests/bugs/issue70b.c | 61 ++++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 141 insertions(+), 1 deletion(-) + create mode 100644 tests/bugs/.gitignore + create mode 100644 tests/bugs/Makefile.am + create mode 100644 tests/bugs/issue70a.c + create mode 100644 tests/bugs/issue70b.c + +diff --git a/configure.ac b/configure.ac +index 10ff870..3dd19aa 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1335,6 +1335,7 @@ tests/rdfxml/Makefile + tests/turtle/Makefile + tests/turtle-2013/Makefile + tests/trig/Makefile ++tests/bugs/Makefile + utils/Makefile + librdfa/Makefile + raptor2.pc]) +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 70d0dc5..0b17962 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -37,7 +37,7 @@ raptor_empty_test_SOURCES=empty.c + # Used to make N-triples output consistent + BASE_URI=http://librdf.org/raptor/tests/ + +-SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig grddl rdfa rdfa11 json feeds ++SUBDIRS = rdfxml ntriples ntriples-2013 nquads-2013 turtle turtle-2013 trig grddl rdfa rdfa11 json feeds bugs + + + $(top_builddir)/src/libraptor2.la: +diff --git a/tests/bugs/.gitignore b/tests/bugs/.gitignore +new file mode 100644 +index 0000000..bd10e21 +--- /dev/null ++++ b/tests/bugs/.gitignore +@@ -0,0 +1,7 @@ ++*.o ++.deps ++.libs ++TAGS ++raptor_issue*_test ++raptor_issue*_test.exe ++raptor_issue*_test.trs +diff --git a/tests/bugs/Makefile.am b/tests/bugs/Makefile.am +new file mode 100644 +index 0000000..090c99f +--- /dev/null ++++ b/tests/bugs/Makefile.am +@@ -0,0 +1,13 @@ ++TESTS=raptor_issue70a_test$(EXEEXT) raptor_issue70b_test$(EXEEXT) ++ ++AM_CPPFLAGS=-I$(top_srcdir)/src ++AM_CFLAGS= -I$(top_builddir)/src @CFLAGS@ $(MEM) ++AM_LDFLAGS=$(top_builddir)/src/libraptor2.la $(MEM_LIBS) ++ ++EXTRA_PROGRAMS=$(TESTS) ++ ++CLEANFILES=$(TESTS) ++ ++raptor_issue70a_test_SOURCES=issue70a.c ++raptor_issue70b_test_SOURCES=issue70b.c ++ +diff --git a/tests/bugs/issue70a.c b/tests/bugs/issue70a.c +new file mode 100644 +index 0000000..f5798ef +--- /dev/null ++++ b/tests/bugs/issue70a.c +@@ -0,0 +1,58 @@ ++/* -*- Mode: c; c-basic-offset: 2 -*- ++ * ++ * issue70a.c - Raptor test for GitHub issue 70 first part ++ * Integer Underflow in raptor_uri_normalize_path() ++ * ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++ ++/* Raptor includes */ ++#include "raptor2.h" ++#include "raptor_internal.h" ++ ++ ++int ++main(int argc, const char** argv) ++{ ++ const char *program = raptor_basename(argv[0]); ++ const unsigned char* base_uri= (const unsigned char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl"; ++ const unsigned char* reference_uri= (const unsigned char*)".&/../?D/../../1999/02/22-rdf-syntax-ns#"; ++#define BUFFER_LEN 84 ++ unsigned char buffer[BUFFER_LEN + 1]; ++ size_t buffer_length = BUFFER_LEN + 1; ++ int failures = 0; ++#define EXPECTED_RESULT "http:?D/../../1999/02/22-rdf-syntax-ns#" ++#define EXPECTED_RESULT_LEN 39UL ++ int result; ++ size_t result_len; ++ ++ buffer[0] = '\0'; ++ ++ /* Crash used to happens here if RAPTOR_DEBUG > 3 ++ * raptor_rfc2396.c:398:raptor_uri_normalize_path: fatal error: Path length 0 does not match calculated -5. ++ */ ++ result = raptor_uri_resolve_uri_reference(base_uri, reference_uri, ++ buffer, buffer_length); ++ result_len = strlen((const char*)buffer); ++ ++ if(strcmp((const char*)buffer, EXPECTED_RESULT) || ++ result_len != EXPECTED_RESULT_LEN) { ++ fprintf(stderr, "%s: raptor_uri_resolve_uri_reference() failed with result %d\n", program, result); ++ fprintf(stderr, "%s: Base URI: '%s' (%lu)\n", ++ program, base_uri, strlen((const char*)base_uri)); ++ fprintf(stderr, "%s: Ref URI: '%s' (%lu)\n", reference_uri, ++ program, strlen((const char*)reference_uri)); ++ fprintf(stderr, "%s: Result buffer: '%s' (%lu)\n", program, ++ buffer, strlen((const char*)buffer)); ++ fprintf(stderr, "%s: Expected: '%s' (%lu)\n", program, ++ EXPECTED_RESULT, EXPECTED_RESULT_LEN); ++ failures++; ++ } ++ ++ return failures; ++} +diff --git a/tests/bugs/issue70b.c b/tests/bugs/issue70b.c +new file mode 100644 +index 0000000..2f1eb3d +--- /dev/null ++++ b/tests/bugs/issue70b.c +@@ -0,0 +1,61 @@ ++/* -*- Mode: c; c-basic-offset: 2 -*- ++ * ++ * issue70.c - Raptor test for GitHub issue 70 second part ++ * Heap read buffer overflow in raptor_ntriples_parse_term_internal() ++ * ++ * N-Triples test content: "_:/exaple/o" ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++ ++/* Raptor includes */ ++#include "raptor2.h" ++#include "raptor_internal.h" ++ ++ ++int ++main(int argc, const char** argv) ++{ ++ const char *program = raptor_basename(argv[0]); ++ const unsigned char* ntriples_content = (const unsigned char*)"_:/exaple/o\n"; ++#define NTRIPLES_CONTENT_LEN 12 ++ const unsigned char* base_uri_string = (const unsigned char*)"http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl"; ++ int failures = 0; ++ raptor_world* world = NULL; ++ raptor_uri* base_uri = NULL; ++ raptor_parser* parser = NULL; ++ int result; ++ ++ world = raptor_new_world(); ++ if(!world) ++ goto cleanup; ++ base_uri = raptor_new_uri(world, base_uri_string); ++ if(!base_uri) ++ goto cleanup; ++ parser = raptor_new_parser(world, "ntriples"); ++ if(!parser) ++ goto cleanup; ++ ++ (void)raptor_parser_parse_start(parser, base_uri); ++ result = raptor_parser_parse_chunk(parser, ++ ntriples_content, ++ NTRIPLES_CONTENT_LEN, /* is_end */ 1); ++ ++ if(result) { ++ fprintf(stderr, "%s: parsing '%s' N-Triples content failed with result %d\n", program, ntriples_content, result); ++ fprintf(stderr, "%s: Base URI: '%s' (%lu)\n", ++ program, base_uri_string, strlen((const char*)base_uri_string)); ++ failures++; ++ } ++ ++ cleanup: ++ raptor_free_parser(parser); ++ raptor_free_uri(base_uri); ++ raptor_free_world(world); ++ ++ return failures; ++} +-- +2.33.0 \ No newline at end of file diff --git a/raptor2.spec b/raptor2.spec index ae85858..0165c93 100644 --- a/raptor2.spec +++ b/raptor2.spec @@ -1,6 +1,6 @@ Name: raptor2 Version: 2.0.15 -Release: 19 +Release: 20 Summary: Raptor RDF parsing and serializing utility License: GPLv2+ or LGPLv2+ or ASL 2.0 URL: http://librdf.org/raptor/ @@ -9,6 +9,8 @@ Source: http://download.librdf.org/source/raptor2-%{version}.tar.gz Patch0: CVE-2020-25713.patch #upstream https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51 Patch1: Remove-the-access-to-entities-checked-private-symbol-for-libxml2-2.11.0.patch +Patch6000: backport-0001-CVE-2024-57823.patch +Patch6001: backport-0002-CVE-2024-57823.patch BuildRequires: gcc-c++ curl-devel gtk-doc libicu-devel pkgconfig(libxslt) yajl-devel Conflicts: raptor < 1.4.21-10 @@ -72,6 +74,9 @@ make check %{_mandir}/man3/libraptor2* %changelog +* Thu Apr 17 2025 zhangliangpengkun - 2.0.15-20 +- fix CVE-2024-57823 + * Thu Aug 10 2023 xu_ping <707078654@qq.com> - 2.0.15-19 - fix build error due to libxml2 upgrade -- Gitee