diff -Nru raptor2-2.0.15/debian/changelog raptor2-2.0.15/debian/changelog --- raptor2-2.0.15/debian/changelog 2019-08-29 09:05:35.000000000 +0000 +++ raptor2-2.0.15/debian/changelog 2020-11-11 12:29:13.000000000 +0000 @@ -1,3 +1,12 @@ +raptor2 (2.0.15-0ubuntu1.20.04.1) focal-security; urgency=medium + + * SECURITY UPDATE: heap-based overflow via nspace declarations + - debian/patches/CVE-2017-18926.patch: calcualte max nspace + declarations correctly for XML writer in src/raptor_xml_writer.c. + - CVE-2017-18926 + + -- Marc Deslauriers Wed, 11 Nov 2020 07:29:13 -0500 + raptor2 (2.0.15-0ubuntu1) eoan; urgency=medium * New upstream version diff -Nru raptor2-2.0.15/debian/patches/CVE-2017-18926.patch raptor2-2.0.15/debian/patches/CVE-2017-18926.patch --- raptor2-2.0.15/debian/patches/CVE-2017-18926.patch 1970-01-01 00:00:00.000000000 +0000 +++ raptor2-2.0.15/debian/patches/CVE-2017-18926.patch 2020-11-11 12:29:10.000000000 +0000 @@ -0,0 +1,40 @@ +From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001 +From: Dave Beckett +Date: Sun, 16 Apr 2017 23:15:12 +0100 +Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer + +(raptor_xml_writer_start_element_common): Calculate max including for +each attribute a potential name and value. + +Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617 +and #0000618 http://bugs.librdf.org/mantis/view.php?id=618 +--- + src/raptor_xml_writer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c +index 693b9468..0d3a36a5 100644 +--- a/src/raptor_xml_writer.c ++++ b/src/raptor_xml_writer.c +@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, + size_t nspace_declarations_count = 0; + unsigned int i; + +- /* max is 1 per element and 1 for each attribute + size of declared */ + if(nstack) { +- int nspace_max_count = element->attribute_count+1; ++ int nspace_max_count = element->attribute_count * 2; /* attr and value */ ++ if(element->name->nspace) ++ nspace_max_count++; + if(element->declared_nspaces) + nspace_max_count += raptor_sequence_size(element->declared_nspaces); + if(element->xml_language) +@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, + } + } + +- /* Add the attribute + value */ ++ /* Add the attribute's value */ + nspace_declarations[nspace_declarations_count].declaration= + raptor_qname_format_as_xml(element->attributes[i], + &nspace_declarations[nspace_declarations_count].length); diff -Nru raptor2-2.0.15/debian/patches/series raptor2-2.0.15/debian/patches/series --- raptor2-2.0.15/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ raptor2-2.0.15/debian/patches/series 2020-11-11 12:29:10.000000000 +0000 @@ -0,0 +1 @@ +CVE-2017-18926.patch