Bug 27605

Summary: raptor2 new out-of-bounds read security issue (CVE-2020-25713)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, herman.viaene, jani.valimaa, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: raptor2-2.0.15-11.mga7.src.rpm CVE: CVE-2020-25713
Status comment:
Attachments: test rdf files

Description David Walser 2020-11-14 22:53:11 CET 
A security issue in raptor2 has been announced (see the bottom of the message):
https://www.openwall.com/lists/oss-security/2020/11/13/1

A proposed patch is attached to the upstream bug report:
https://bugs.librdf.org/mantis/view.php?id=650

Mageia 7 is also affected.
Comment 1 David Walser 2020-11-16 18:55:58 CET 
CVE-2020-25713 assigned:
https://www.openwall.com/lists/oss-security/2020/11/16/1

Summary: raptor2 new out-of-bounds read security issue => raptor2 new out-of-bounds read security issue (CVE-2020-25713)

Comment 2 Aurelien Oudelet 2020-11-17 10:43:46 CET 
Hi, thanks for reporting this.
Assigned to the all package maintainers and added recent commiters.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, jani.valimaa, ouaurelien

Comment 3 Nicolas Salguero 2020-11-19 09:45:33 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common. (CVE-2020-25713)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25713
https://bugs.librdf.org/mantis/view.php?id=650
https://www.openwall.com/lists/oss-security/2020/11/13/1
https://www.openwall.com/lists/oss-security/2020/11/16/1
========================

Updated packages in core/updates_testing:
========================
raptor2-2.0.15-11.1.mga7
lib(64)raptor2_0-2.0.15-11.1.mga7
lib(64)raptor2-devel-2.0.15-11.1.mga7

from SRPM:
raptor2-2.0.15-11.1.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
Source RPM: raptor2-2.0.15-15.mga8.src.rpm => raptor2-2.0.15-11.mga7.src.rpm
Keywords: Triaged => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-25713
Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2020-11-19 17:08:16 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Ref bug 21046 for tests. I will upload the tar file I picked up
Choosing one of the files:
$ rapper rss_8_1.rdf 
rapper: Parsing URI file:///home/tester7/Downloads/rss_8_1.rdf with parser rdfxml
rapper: Serializing with serializer ntriples
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/channel> .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/title> "Meerkat" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/link> "http://meerkat.oreillynet.com" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/description> "Meerkat: An Open Wire Service" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/publisher> "The O'Reilly Network" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/creator> "Rael Dornfest (mailto:rael@oreilly.com)" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/rights> "Copyright \u00A9 2000 O'Reilly & Associates, Inc." .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/date> "2000-01-01T12:00+00:00" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/modules/syndication/updatePeriod> "hourly" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/modules/syndication/updateFrequency> "2" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/modules/syndication/updateBase> "2000-01-01T12:00+00:00" .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/image> <http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> .
_:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/1999/02/22-rdf-syntax-ns#Seq> .
_:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#_1> <http://c.moreover.com/click/here.pl?r123> .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/items> _:genid1 .
<http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/textinput> <http://meerkat.oreillynet.com> .
<http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/image> .
<http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://purl.org/rss/1.0/title> "Meerkat Powered!" .
<http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://purl.org/rss/1.0/url> "http://meerkat.oreillynet.com/icons/meerkat-powered.jpg" .
<http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://purl.org/rss/1.0/link> "http://meerkat.oreillynet.com" .
<http://c.moreover.com/click/here.pl?r123> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/item> .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/title> "XML: A Disruptive Technology" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/link> "http://c.moreover.com/click/here.pl?r123" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/description> "\n      XML is placing increasingly heavy loads on the existing technical\n      infrastructure of the Internet.\n    " .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/publisher> "The O'Reilly Network" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/creator> "Simon St.Laurent (mailto:simonstl@simonstl.com)" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/rights> "Copyright \u00A9 2000 O'Reilly & Associates, Inc." .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/subject> "XML" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/modules/company/name> "XML.com" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/modules/company/market> "NASDAQ" .
<http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/modules/company/symbol> "XML" .
<http://meerkat.oreillynet.com> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/textinput> .
<http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/title> "Search Meerkat" .
<http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/description> "Search Meerkat's RSS Database..." .
<http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/name> "s" .
<http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/link> "http://meerkat.oreillynet.com/" .
<http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/modules/textinput/function> "search" .
<http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/modules/textinput/inputType> "regex" .
rapper: Parsing returned 38 triples

Looks sensible

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2020-11-19 17:09:46 CET 
Created attachment 12006 [details]
test rdf files
Herman Viaene 2020-11-19 17:10:03 CET

Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2020-11-19 22:28:08 CET 
Validating. Advisory and packages in Comment 3.
Advisory pushed to SVN.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 7 Mageia Robot 2020-11-21 13:22:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0431.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED