raptor2_2.0.15-4+deb12u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new

2025-05-17 Thread Debian FTP Masters 
Thank you for your contribution to Debian.

Mapping bookworm to stable.
Mapping stable to proposed-updates.

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 29 Mar 2025 20:42:36 +0100
Source: raptor2
Architecture: source
Version: 2.0.15-4+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian QA Group 
Changed-By: Salvatore Bonaccorso 
Closes: 1067896
Changes:
 raptor2 (2.0.15-4+deb12u1) bookworm; urgency=medium
 .
   * Integer Underflow in raptor_uri_normalize_path() (CVE-2024-57823)
 (Closes: #1067896)
   * Heap read buffer overflow in ntriples bnode (CVE-2024-57822)
 (Closes: #1067896)
   * Tests for Github issue 70
Checksums-Sha1: 
 4d8ae1c2f83c0bf07215003b9ebae990e161cf07 2208 raptor2_2.0.15-4+deb12u1.dsc
 c9d4ccb70670b48178fdaf94900afdc802e1777a 15308 
raptor2_2.0.15-4+deb12u1.debian.tar.xz
Checksums-Sha256: 
 a89d88c60f06b2ad987bf0e7d2405f203bbe6a0e9960dd0ef36b1d13b86bdbef 2208 
raptor2_2.0.15-4+deb12u1.dsc
 97cd215fcd4ab843e1a67b9e14443e7b7d70fc4c66fd05064ed6485614e6823b 15308 
raptor2_2.0.15-4+deb12u1.debian.tar.xz
Files: 
 a08da7e99e40a66d28e36cd7bec00b23 2208 devel optional 
raptor2_2.0.15-4+deb12u1.dsc
 f6a4dccbb5ad6885f036af5411aba0f7 15308 devel optional 
raptor2_2.0.15-4+deb12u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmgouXRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E34MP/37l0SfViEv3t5giT8z759EgJWDegNei
TjtGbSVpLdXtKVgo9dnSq/KPeHT6hmAUT8eTfb8UW2dfBuVTT4nLa291sFrt+OS2
8lv7xcerH33I7cDhuUUd8DGOrvJ3ZhYSsDw4wf8NYonJ+1QcTs2W9oOaFc2zBP4n
h9q56cOKg60P+I/G83EtVuwO/Ji+JdFZbJAd4PphASL7j+vTk3Uyu9hScCRyRshU
7Mw+tW+vkt2Ez+QLf2YoGVlvt2eTP+HO4tmsxvLuLExAJ7DXMIImlW6yOVBVFmj9
k1ijtsmywnoiEN92JrkqhUcCEKQH0i6ClJWT3vPruvwoDxMN0DpCOTqlpqWlpgvi
RmhKcYfDdL3plrJFz0Nze1t2uz0yazunBkeKs8AEA4jsJXWzDeT8MuTAmhKZC3hn
nZLzAk8Z90YvZwIfazX5xJF+2KVbZqCuJQBAaR5W3DrZQfkJ63EPLMZQJDA1rKsn
sdWR8l9Wav2JIUfwueJixy93K3yo8HHCMWdr1OyRW+O+cR7Z3Uj8Z7rTKzVCbwZ7
jxf+xO9f8MHfAg8QZ1Vm96gTONYuYWI2POdDc98uvEYkvWJTlwsqtH2mSnSSdiI9
smoRjYqp0yZwlNPGuAiJcFySziy67YzGAzSYHPXy1wS6Td+9JZn2T2nr2mXWqAJe
U2bGNhjoEgHZ
=7eQV
-END PGP SIGNATURE-



pgpzghA62tAP7.pgp
Description: PGP signature

Processing of raptor2_2.0.15-4+deb12u1_sourceonly.changes

2025-05-17 Thread Debian FTP Masters 
raptor2_2.0.15-4+deb12u1_sourceonly.changes uploaded successfully to localhost
along with the files:
  raptor2_2.0.15-4+deb12u1.dsc
  raptor2_2.0.15-4+deb12u1.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

Bug#1105957: bookworm-pu: package raptor2/2.0.15-4+deb12u1

2025-05-17 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: rapt...@packages.debian.org, car...@debian.org
Control: affects -1 + src:raptor2
User: release.debian@packages.debian.org
Usertags: pu

Hi stable release managers,

[ Reason ]
raptor2 in bookworm is as well affected by CVE-2024-57822 in
CVE-2024-57823 raptor2, an integer overflow in
raptor_uri_normalize_path and a head read buffer overflow in ntriples
bnode.

[ Impact ]
Keeping those two, no-dsa issues, open in bookworm.

[ Tests ]
While I include for consistency the two tests as well in this updates
tests/ folder those tests are not run (and others) back in bookworm. I
did explicitly tests those manually and verified under valgrind that
the issue is fixed.

[ Risks ]
The update is in unstable and trixie without having got regressions
report and the fixes are scoped to those issues. It should be low risk
to get this applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Two patches to fix the underlying issue, and as explained above as
well adding the testcases (though not run).

[ Other info ]
They do not warrant a DSA so it is now perfectly fine to wait until we
get it into 12.12 later. I unfortunately missed the time to finalize
this earlier for bookworm's 12.11 which is sad but is as it is now.

Regards,
Salvatore
diff -Nru raptor2-2.0.15/debian/changelog raptor2-2.0.15/debian/changelog
--- raptor2-2.0.15/debian/changelog 2022-10-03 01:38:55.0 +0200
+++ raptor2-2.0.15/debian/changelog 2025-03-29 20:42:36.0 +0100
@@ -1,3 +1,13 @@
+raptor2 (2.0.15-4+deb12u1) bookworm; urgency=medium
+
+  * Integer Underflow in raptor_uri_normalize_path() (CVE-2024-57823)
+(Closes: #1067896)
+  * Heap read buffer overflow in ntriples bnode (CVE-2024-57822)
+(Closes: #1067896)
+  * Tests for Github issue 70
+
+ -- Salvatore Bonaccorso   Sat, 29 Mar 2025 20:42:36 +0100
+
 raptor2 (2.0.15-4) unstable; urgency=medium
 
   * QA upload.
diff -Nru 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
--- 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
1970-01-01 01:00:00.0 +0100
+++ 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch
2025-03-29 20:42:36.0 +0100
@@ -0,0 +1,44 @@
+From: Dave Beckett 
+Date: Thu, 6 Feb 2025 21:12:37 -0800
+Subject: Fix Github issue 70 A) Integer Underflow in
+ raptor_uri_normalize_path()
+Origin: 
https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57823
+
+(raptor_uri_normalize_path): Return empty buffer if path gets to 0
+length
+---
+ src/raptor_rfc2396.c | 8 
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c
+index 8cc364f44735..f8ec57986a08 100644
+--- a/src/raptor_rfc2396.c
 b/src/raptor_rfc2396.c
+@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, 
size_t path_len)
+   *dest++ = *s++;
+ *dest = '\0';
+ path_len -= len;
++if(path_len <= 0) {
++  *path_buffer = '\0';
++  return 0;
++}
+ 
+ if(p && p < prev) {
+   /* We know the previous prev path component and we didn't do
+@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, 
size_t path_len)
+ /* Remove /.. at the end of the path */
+ *prev = '\0';
+ path_len -= (s-prev);
++if(path_len <= 0) {
++  *path_buffer = '\0';
++  return 0;
++}
+   }
+ 
+ 
+-- 
+2.49.0
+
diff -Nru 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
--- 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
1970-01-01 01:00:00.0 +0100
+++ 
raptor2-2.0.15/debian/patches/Fix-Github-issue-70-B-Heap-read-buffer-overflow-in-n.patch
2025-03-29 20:42:36.0 +0100
@@ -0,0 +1,30 @@
+From: Dave Beckett 
+Date: Fri, 7 Feb 2025 11:38:34 -0800
+Subject: Fix Github issue 70 B) Heap read buffer overflow in ntriples bnode
+Origin: 
https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e
+Bug: https://github.com/dajobe/raptor/issues/70
+Bug-Debian: https://bugs.debian.org/1067896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57822
+
+(raptor_ntriples_parse_term_internal): Only allow looking at the last
+character of a bnode ID only if bn