[Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
Arnout Vandecappelle
arnout at mind.be
Sun Jun 25 19:44:39 UTC 2023
On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
>
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
>
> Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
Applied to master, thanks.
Regards,
Arnout
> ---
> v2: Removed patches from .checkpackageignore
>
> .checkpackageignore | 2 -
> ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
> ...are-namespace-declarations-correctly.patch | 33 -------------
> package/raptor/raptor.hash | 4 +-
> package/raptor/raptor.mk | 8 +---
> 5 files changed, 3 insertions(+), 91 deletions(-)
> delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
> package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
> package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
> package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
> package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
> package/rdesktop/0001-8bit-colors.patch Sob Upstream
> package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave at dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - size_t nspace_declarations_count = 0;
> - unsigned int i;
> -
> -- /* max is 1 per element and 1 for each attribute + size of declared */
> - if(nstack) {
> -- int nspace_max_count = element->attribute_count+1;
> -+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+ if(element->name->nspace)
> -+ nspace_max_count++;
> - if(element->declared_nspaces)
> - nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> - if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - }
> - }
> -
> -- /* Add the attribute + value */
> -+ /* Add the attribute's value */
> - nspace_declarations[nspace_declarations_count].declaration=
> - raptor_qname_format_as_xml(element->attributes[i],
> - &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave at dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content. This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> - /* check it wasn't an earlier declaration too */
> - for(j = 0; j < nspace_declarations_count; j++)
> -- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> - declare_me = 0;
> - break;
> - }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
> -sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
> +sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
> +sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
> RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
> RAPTOR_SITE = http://download.librdf.org/source
> RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
> # Flag is added to make sure the patch is applied for the configure.ac of raptor.
> RAPTOR_AUTORECONF = YES
>
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
> RAPTOR_CONF_OPTS =\
> --with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
> --with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
More information about the buildroot
mailing list