A security issue in raptor2 has been announced (see the bottom of the message): https://www.openwall.com/lists/oss-security/2020/11/13/1 A proposed patch is attached to the upstream bug report: https://bugs.librdf.org/mantis/view.php?id=650 Mageia 7 is also affected.
CVE-2020-25713 assigned: https://www.openwall.com/lists/oss-security/2020/11/16/1
Summary: raptor2 new out-of-bounds read security issue => raptor2 new out-of-bounds read security issue (CVE-2020-25713)
Hi, thanks for reporting this. Assigned to the all package maintainers and added recent commiters. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, jani.valimaa, ouaurelien
Suggested advisory: ======================== The updated packages fix a security vulnerability: A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common. (CVE-2020-25713) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25713 https://bugs.librdf.org/mantis/view.php?id=650 https://www.openwall.com/lists/oss-security/2020/11/13/1 https://www.openwall.com/lists/oss-security/2020/11/16/1 ======================== Updated packages in core/updates_testing: ======================== raptor2-2.0.15-11.1.mga7 lib(64)raptor2_0-2.0.15-11.1.mga7 lib(64)raptor2-devel-2.0.15-11.1.mga7 from SRPM: raptor2-2.0.15-11.1.mga7.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 7Source RPM: raptor2-2.0.15-15.mga8.src.rpm => raptor2-2.0.15-11.mga7.src.rpmKeywords: Triaged => (none)CC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-25713Assignee: pkg-bugs => qa-bugs
MGA7-64 MATE on Peaq C1011 No installation issues. Ref bug 21046 for tests. I will upload the tar file I picked up Choosing one of the files: $ rapper rss_8_1.rdf rapper: Parsing URI file:///home/tester7/Downloads/rss_8_1.rdf with parser rdfxml rapper: Serializing with serializer ntriples <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/channel> . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/title> "Meerkat" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/link> "http://meerkat.oreillynet.com" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/description> "Meerkat: An Open Wire Service" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/publisher> "The O'Reilly Network" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/creator> "Rael Dornfest (mailto:rael@oreilly.com)" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/rights> "Copyright \u00A9 2000 O'Reilly & Associates, Inc." . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/dc/elements/1.1/date> "2000-01-01T12:00+00:00" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/modules/syndication/updatePeriod> "hourly" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/modules/syndication/updateFrequency> "2" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/modules/syndication/updateBase> "2000-01-01T12:00+00:00" . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/image> <http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> . _:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/1999/02/22-rdf-syntax-ns#Seq> . _:genid1 <http://www.w3.org/1999/02/22-rdf-syntax-ns#_1> <http://c.moreover.com/click/here.pl?r123> . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/items> _:genid1 . <http://meerkat.oreillynet.com/?_fl=rss1.0> <http://purl.org/rss/1.0/textinput> <http://meerkat.oreillynet.com> . <http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/image> . <http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://purl.org/rss/1.0/title> "Meerkat Powered!" . <http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://purl.org/rss/1.0/url> "http://meerkat.oreillynet.com/icons/meerkat-powered.jpg" . <http://meerkat.oreillynet.com/icons/meerkat-powered.jpg> <http://purl.org/rss/1.0/link> "http://meerkat.oreillynet.com" . <http://c.moreover.com/click/here.pl?r123> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/item> . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/title> "XML: A Disruptive Technology" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/link> "http://c.moreover.com/click/here.pl?r123" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/description> "\n XML is placing increasingly heavy loads on the existing technical\n infrastructure of the Internet.\n " . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/publisher> "The O'Reilly Network" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/creator> "Simon St.Laurent (mailto:simonstl@simonstl.com)" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/rights> "Copyright \u00A9 2000 O'Reilly & Associates, Inc." . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/dc/elements/1.1/subject> "XML" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/modules/company/name> "XML.com" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/modules/company/market> "NASDAQ" . <http://c.moreover.com/click/here.pl?r123> <http://purl.org/rss/1.0/modules/company/symbol> "XML" . <http://meerkat.oreillynet.com> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://purl.org/rss/1.0/textinput> . <http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/title> "Search Meerkat" . <http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/description> "Search Meerkat's RSS Database..." . <http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/name> "s" . <http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/link> "http://meerkat.oreillynet.com/" . <http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/modules/textinput/function> "search" . <http://meerkat.oreillynet.com> <http://purl.org/rss/1.0/modules/textinput/inputType> "regex" . rapper: Parsing returned 38 triples Looks sensible
CC: (none) => herman.viaene
Created attachment 12006 [details] test rdf files
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory and packages in Comment 3. Advisory pushed to SVN.
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0431.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED