Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Buffer Overflow in raptor widely unfixed in Linux distros

Related Vulnerabilities: CVE-2020-25713  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Buffer Overflow in raptor widely unfixed in Linux distros

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Salvatore Bonaccorso &lt;carnil () debian org&gt;

Date: Mon, 16 Nov 2020 12:43:18 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,

On Fri, Nov 13, 2020 at 01:33:31PM +0100, Hanno Böck wrote:
[...]
FWIW I recently tried to fuzz raptor again with the fix applied. I
quickly found another OOB issue
https://bugs.librdf.org/mantis/view.php?id=650

From the bug report:

A malformed input file can lead to a segfault due to an out of bounds
array access in raptor_xml_writer_start_element_common.

Bug happens in line 230 of raptor_xml_writer.c (current git):
https://github.com/dajobe/raptor/blob/master/src/raptor_xml_writer.c#L230

From looking at that code it seems to me it always expects
nspace_declarations_count to be lower than element-&gt;attribute_count,
however this input seems to create a different situation. I made an
attempt at a patch that throws an error in this situation (but please
review it, I am not familiar with what this code does and should do -
though the patch doesn't seem to introduce test failures).

(proposed patch, example file and stacktrace can be found attached to
the bugreport)

CVE-2020-25713 was assigned for this issue.

Regards,
Salvatore

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Re: Buffer Overflow in raptor widely unfixed in Linux distros, (continued)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Marcus Meissner (Nov 14)

Re: Buffer Overflow in raptor widely unfixed in Linux distros David A. Wheeler (Nov 16)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Stephen John Smoogen (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Sam James (Nov 16)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Marius Bakke (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Jeremy Stanley (Nov 16)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Sam James (Nov 16)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Seth Arnold (Nov 16)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Marcus Meissner (Nov 17)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Morten Linderud (Nov 17)

Re: Buffer Overflow in raptor widely unfixed in Linux distros Salvatore Bonaccorso (Nov 16)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started