<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Buffer Overflow in raptor widely unfixed in Linux distros
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 16 Nov 2020 12:43:18 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
On Fri, Nov 13, 2020 at 01:33:31PM +0100, Hanno Böck wrote:
[...]
FWIW I recently tried to fuzz raptor again with the fix applied. I
quickly found another OOB issue
https://bugs.librdf.org/mantis/view.php?id=650
From the bug report:
A malformed input file can lead to a segfault due to an out of bounds
array access in raptor_xml_writer_start_element_common.
Bug happens in line 230 of raptor_xml_writer.c (current git):
https://github.com/dajobe/raptor/blob/master/src/raptor_xml_writer.c#L230
From looking at that code it seems to me it always expects
nspace_declarations_count to be lower than element->attribute_count,
however this input seems to create a different situation. I made an
attempt at a patch that throws an error in this situation (but please
review it, I am not familiar with what this code does and should do -
though the patch doesn't seem to introduce test failures).
(proposed patch, example file and stacktrace can be found attached to
the bugreport)
CVE-2020-25713 was assigned for this issue.
Regards,
Salvatore
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Re: Buffer Overflow in raptor widely unfixed in Linux distros, (continued)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Marcus Meissner (Nov 14)
Re: Buffer Overflow in raptor widely unfixed in Linux distros David A. Wheeler (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Stephen John Smoogen (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Sam James (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Marius Bakke (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Jeremy Stanley (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Sam James (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Seth Arnold (Nov 16)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Marcus Meissner (Nov 17)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Morten Linderud (Nov 17)
Re: Buffer Overflow in raptor widely unfixed in Linux distros Salvatore Bonaccorso (Nov 16)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->