Monday, November 09, 2020

Re: [Security Update] textproc/raptor

On 2020/11/10 01:46, wen heping wrote:
> Hi, ports@:
>
> Here is a patch for textproc/raptor from upstream to fix CVE-2017-18926.
> It build well and pass all tests on amd64-6.8 system.
>
> Cheers !
> wen

I have added upstream commit information from the header from the upstream
commit and committed this. To get this information, add .patch to the github url,
i.e. https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f.patch


> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/textproc/raptor/Makefile,v
> retrieving revision 1.18
> diff -u -p -r1.18 Makefile
> --- Makefile 9 Jun 2020 07:14:45 -0000 1.18
> +++ Makefile 10 Nov 2020 01:41:31 -0000
> @@ -5,7 +5,7 @@ COMMENT= RDF Parser Toolkit for Redland
> DISTNAME= raptor2-2.0.15
> PKGNAME= ${DISTNAME:C/raptor2/raptor/}
> CATEGORIES= textproc
> -REVISION= 3
> +REVISION= 4
>
> SHARED_LIBS += raptor2 0.0 # 0.0
>
> Index: patches/patch-src_raptor_xml_writer_c
> ===================================================================
> RCS file: patches/patch-src_raptor_xml_writer_c
> diff -N patches/patch-src_raptor_xml_writer_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_raptor_xml_writer_c 10 Nov 2020 01:41:31 -0000
> @@ -0,0 +1,29 @@
> +$OpenBSD$
> +
> +Upstream fix CVE-2017-18926.
> +
> +Index: src/raptor_xml_writer.c
> +--- src/raptor_xml_writer.c.orig
> ++++ src/raptor_xml_writer.c
> +@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writ
> + size_t nspace_declarations_count = 0;
> + unsigned int i;
> +
> +- /* max is 1 per element and 1 for each attribute + size of declared */
> + if(nstack) {
> +- int nspace_max_count = element->attribute_count+1;
> ++ int nspace_max_count = element->attribute_count * 2; /* attr and value */
> ++ if(element->name->nspace)
> ++ nspace_max_count++;
> + if(element->declared_nspaces)
> + nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> + if(element->xml_language)
> +@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writ
> + }
> + }
> +
> +- /* Add the attribute + value */
> ++ /* Add the attribute's value */
> + nspace_declarations[nspace_declarations_count].declaration=
> + raptor_qname_format_as_xml(element->attributes[i],
> + &nspace_declarations[nspace_declarations_count].length);

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)