external/redland/ExternalProject_raptor.mk | 4 +-
external/redland/UnpackedTarball_raptor.mk | 1
external/redland/raptor/CVE-2024-57823.patch.1 | 35 +++++++++++++++++++++++++
3 files changed, 38 insertions(+), 2 deletions(-)
New commits:
commit 1ac4aa8db84ee647b471edbdd9a702e66fe52e78
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Jan 15 10:55:05 2025 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Wed Jan 15 13:24:57 2025 +0100
redland: disable all raptor parsers except for "rdfxml"
It's the only one the unordf component invokes.
CVE-2024-57823 CVE-2024-57822 affect the "ntriples" and "turtle"
parsers.
However it appears that the function raptor_uri_normalize_path() could
also be called from raptor_libxml_* functions? Somewhat unclear, let's
add the patch just in case.
Change-Id: Idd7ebbc29c63e84ca2434b06c26f7aca34bdcaa5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/180272
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 2b50dc0e4482ac0ad27d69147b4175e05af4fba4)
diff --git a/external/redland/ExternalProject_raptor.mk
b/external/redland/ExternalProject_raptor.mk
index 8b800f76eea0..944f7e0b40d4 100644
--- a/external/redland/ExternalProject_raptor.mk
+++ b/external/redland/ExternalProject_raptor.mk
@@ -36,7 +36,7 @@ $(call gb_ExternalProject_get_state_target,raptor,build):
$(if $(SYSBASE),$(if $(filter LINUX
SOLARIS,$(OS)),-L$(SYSBASE)/lib -L$(SYSBASE)/usr/lib -lpthread -ldl)))' \
CPPFLAGS="$(if $(SYSBASE),-I$(SYSBASE)/usr/include)
$(gb_EMSCRIPTEN_CPPFLAGS)" \
$(gb_RUN_CONFIGURE) ./configure --disable-gtk-doc \
- --enable-parsers="rdfxml ntriples turtle trig guess
rss-tag-soup" \
+ --enable-parsers="rdfxml" \
--without-www \
--without-xslt-config \
$(gb_CONFIGURE_PLATFORMS) \
diff --git a/external/redland/UnpackedTarball_raptor.mk
b/external/redland/UnpackedTarball_raptor.mk
index 6dc6491132df..dddfb4ba7923 100644
--- a/external/redland/UnpackedTarball_raptor.mk
+++ b/external/redland/UnpackedTarball_raptor.mk
@@ -30,6 +30,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,raptor,\
external/redland/raptor/xml2-config.patch \
external/redland/raptor/raptor-libxml2-11.patch.1 \
$(if $(SYSTEM_ICU),,external/redland/raptor/raptor-icu.patch) \
+ external/redland/raptor/CVE-2024-57823.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/redland/raptor/CVE-2024-57823.patch.1
b/external/redland/raptor/CVE-2024-57823.patch.1
new file mode 100644
index 000000000000..b06689304b0a
--- /dev/null
+++ b/external/redland/raptor/CVE-2024-57823.patch.1
@@ -0,0 +1,35 @@
+--- raptor2-2.0.15/src/raptor_rfc2396.c.CVE-2024-57823 2014-07-26
23:07:37.000000000 +0200
++++ raptor2-2.0.15/src/raptor_rfc2396.c 2025-01-13 12:59:22.175568228
+0100
+@@ -289,10 +289,8 @@ raptor_uri_normalize_path(unsigned char*
+ }
+
+
+-#if defined(RAPTOR_DEBUG)
+ if(path_len != strlen((const char*)path_buffer))
+ RAPTOR_FATAL4("Path '%s' length %ld does not match calculated %ld.",
(const char*)path_buffer, (long)strlen((const char*)path_buffer),
(long)path_len);
+-#endif
+
+ /* Remove all "<component>/../" path components */
+
+@@ -327,10 +325,8 @@ raptor_uri_normalize_path(unsigned char*
+ if(!prev || !cur)
+ continue;
+
+-#if defined(RAPTOR_DEBUG)
+ if(path_len != strlen((const char*)path_buffer))
+ RAPTOR_FATAL3("Path length %ld does not match calculated %ld.",
(long)strlen((const char*)path_buffer), (long)path_len);
+-#endif
+
+ /* If the current one is '..' */
+ if(s == (cur+2) && cur[0] == '.' && cur[1] == '.') {
+@@ -393,10 +389,8 @@ raptor_uri_normalize_path(unsigned char*
+ }
+
+
+-#if defined(RAPTOR_DEBUG)
+ if(path_len != strlen((const char*)path_buffer))
+ RAPTOR_FATAL3("Path length %ld does not match calculated %ld.",
(long)strlen((const char*)path_buffer), (long)path_len);
+-#endif
+
+ /* RFC3986 Appendix C.2 / 5.4.2 Abnormal Examples
+ * Remove leading /../ and /./
commit 3ddcefa709604165cddc87d9da13921c3bec93c8
Author: Xisco Fauli <xiscofa...@libreoffice.org>
AuthorDate: Wed Jul 3 14:08:47 2024 +0200
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Wed Jan 15 13:24:05 2025 +0100
raptor: Use --without-www
it seems not used. Besides, it fails when upgrading
to libxml2 2.13.
See https://gerrit.libreoffice.org/c/core/+/169327
Change-Id: If383130eac3b5d6de911c4c273c8e371a4980f23
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169933
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 25b37b4c8c8c5aef7cd530d919258bd8e5dce068)
diff --git a/external/redland/ExternalProject_raptor.mk
b/external/redland/ExternalProject_raptor.mk
index deff4f8dce4b..8b800f76eea0 100644
--- a/external/redland/ExternalProject_raptor.mk
+++ b/external/redland/ExternalProject_raptor.mk
@@ -36,8 +36,8 @@ $(call gb_ExternalProject_get_state_target,raptor,build):
$(if $(SYSBASE),$(if $(filter LINUX
SOLARIS,$(OS)),-L$(SYSBASE)/lib -L$(SYSBASE)/usr/lib -lpthread -ldl)))' \
CPPFLAGS="$(if $(SYSBASE),-I$(SYSBASE)/usr/include)
$(gb_EMSCRIPTEN_CPPFLAGS)" \
$(gb_RUN_CONFIGURE) ./configure --disable-gtk-doc \
- --enable-parsers="rdfxml ntriples turtle trig guess
rss-tag-soup" \
- --with-www=xml \
+ --enable-parsers="rdfxml ntriples turtle trig guess
rss-tag-soup" \
+ --without-www \
--without-xslt-config \
$(gb_CONFIGURE_PLATFORMS) \
$(if $(CROSS_COMPILING),$(if $(filter INTEL
ARM,$(CPUNAME)),ac_cv_c_bigendian=no)) \
