[Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

Arnout Vandecappelle arnout at mind.be
Sun Jun 25 19:44:39 UTC 2023 


On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
> 
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
> 
> Signed-off-by: Bernd Kuhls <bernd at kuhls.net>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
> v2: Removed patches from .checkpackageignore
> 
>   .checkpackageignore                           |  2 -
>   ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
>   ...are-namespace-declarations-correctly.patch | 33 -------------
>   package/raptor/raptor.hash                    |  4 +-
>   package/raptor/raptor.mk                      |  8 +---
>   5 files changed, 3 insertions(+), 91 deletions(-)
>   delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
>   delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
>   package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
>   package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
>   package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
>   package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
>   package/rdesktop/0001-8bit-colors.patch Sob Upstream
>   package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave at dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -   size_t nspace_declarations_count = 0;
> -   unsigned int i;
> -
> --  /* max is 1 per element and 1 for each attribute + size of declared */
> -   if(nstack) {
> --    int nspace_max_count = element->attribute_count+1;
> -+    int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+    if(element->name->nspace)
> -+      nspace_max_count++;
> -     if(element->declared_nspaces)
> -       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> -     if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -         }
> -       }
> -
> --      /* Add the attribute + value */
> -+      /* Add the attribute's value */
> -       nspace_declarations[nspace_declarations_count].declaration=
> -         raptor_qname_format_as_xml(element->attributes[i],
> -                                    &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave at dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content.  This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> -           /* check it wasn't an earlier declaration too */
> -           for(j = 0; j < nspace_declarations_count; j++)
> --            if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+            if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> -               declare_me = 0;
> -               break;
> -             }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
>   # Locally calculated
> -sha256  ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed  raptor2-2.0.15.tar.gz
> -sha256  6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968  LICENSE.txt
> +sha256  089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680  raptor2-2.0.16.tar.gz
> +sha256  0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251  LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
>   RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
>   RAPTOR_SITE = http://download.librdf.org/source
>   RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
>   # Flag is added to make sure the patch is applied for the configure.ac of raptor.
>   RAPTOR_AUTORECONF = YES
>   
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
>   RAPTOR_CONF_OPTS =\
>   	--with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
>   	--with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config

More information about the buildroot mailing list