diff -Nru raptor2-2.0.6/debian/changelog raptor2-2.0.6/debian/changelog --- raptor2-2.0.6/debian/changelog 2011-11-28 00:25:21.000000000 +0000 +++ raptor2-2.0.6/debian/changelog 2013-07-04 16:02:58.000000000 +0000 @@ -1,3 +1,17 @@ +raptor2 (2.0.6-1ubuntu0.1) precise-security; urgency=low + + * SECURITY UPDATE: arbitrary file disclosure via XML External Entity + (XXE) attack + - debian/patches/CVE-2012-0037.patch: Add disabled by default + loadExternalEntities and RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES option + for turning on loading of XML external entities in librdfa/rdfa.c, + src/raptor2.h.in, src/raptor_libxml.c, src/raptor_option.c, + src/raptor_rdfxml.c, src/raptor_rss.c, src/raptor_internal.h, + src/raptor_sax2.c. + - CVE-2012-0037 + + -- Marc Deslauriers Thu, 04 Jul 2013 11:45:48 -0400 + raptor2 (2.0.6-1) unstable; urgency=low * New upstream release diff -Nru raptor2-2.0.6/debian/control raptor2-2.0.6/debian/control --- raptor2-2.0.6/debian/control 2011-07-26 06:02:00.000000000 +0000 +++ raptor2-2.0.6/debian/control 2013-07-04 15:51:08.000000000 +0000 @@ -1,7 +1,8 @@ Source: raptor2 Section: devel Priority: optional -Maintainer: Dave Beckett +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Dave Beckett Build-Depends: debhelper (>> 5), autotools-dev, cdbs, libtool (>= 1.5), libxml2-dev (>= 2.5.10), libcurl4-gnutls-dev, libxslt1-dev (>= 1.0.18), libyajl-dev Standards-Version: 3.9.2 Homepage: http://librdf.org/raptor/ diff -Nru raptor2-2.0.6/debian/patches/CVE-2012-0037.patch raptor2-2.0.6/debian/patches/CVE-2012-0037.patch --- raptor2-2.0.6/debian/patches/CVE-2012-0037.patch 1970-01-01 00:00:00.000000000 +0000 +++ raptor2-2.0.6/debian/patches/CVE-2012-0037.patch 2013-07-04 16:36:40.000000000 +0000 @@ -0,0 +1,333 @@ +Description: fix arbitrary file disclosure via XML External Entity (XXE) attack +Origin: backport, https://github.com/dajobe/raptor/commit/a9ddbb9d804264ed6b9cf9f6d46eed77b515b5d1.patch +Origin: backport, https://github.com/dajobe/raptor/commit/359a56a5774dbde8d7a773c4c60aaed53abecc8c.patch +Origin: backport, https://github.com/dajobe/raptor/commit/a676f235309a59d4aa78eeffd2574ae5d341fcb0.patch +Origin: backport, https://github.com/dajobe/raptor/commit/331b048cd08dd4cbd87a83d790b2dc63ab56392b.patch +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677427 + +Index: raptor2-2.0.6/librdfa/rdfa.c +=================================================================== +--- raptor2-2.0.6.orig/librdfa/rdfa.c 2013-07-04 11:51:00.419343770 -0400 ++++ raptor2-2.0.6/librdfa/rdfa.c 2013-07-04 11:51:00.411343770 -0400 +@@ -1218,6 +1218,14 @@ + rdfa_init_context(context); + + #ifdef LIBRDFA_IN_RAPTOR ++ if(1) { ++ raptor_parser* rdf_parser = (raptor_parser*)context->callback_data; ++ ++ raptor_sax2_set_option(context->sax2, ++ RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES, NULL, ++ RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES)); ++ } ++ + context->base_uri=raptor_new_uri(context->sax2->world, (const unsigned char*)context->base); + raptor_sax2_parse_start(context->sax2, context->base_uri); + #endif +Index: raptor2-2.0.6/src/raptor2.h.in +=================================================================== +--- raptor2-2.0.6.orig/src/raptor2.h.in 2013-07-04 11:51:00.419343770 -0400 ++++ raptor2-2.0.6/src/raptor2.h.in 2013-07-04 11:51:00.411343770 -0400 +@@ -525,6 +525,7 @@ + * @RAPTOR_OPTION_WWW_CERT_FILENAME: String. SSL client certificate filename + * @RAPTOR_OPTION_WWW_CERT_TYPE: String. SSL client certificate type + * @RAPTOR_OPTION_WWW_CERT_PASSPHRASE: String. SSL client certificate passphrase ++ * @RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES: When reading XML, load external entities. + * @RAPTOR_OPTION_LAST: Internal + * + * Raptor parser, serializer or XML writer options. +@@ -568,7 +569,8 @@ + RAPTOR_OPTION_WWW_CERT_FILENAME, + RAPTOR_OPTION_WWW_CERT_TYPE, + RAPTOR_OPTION_WWW_CERT_PASSPHRASE, +- RAPTOR_OPTION_LAST = RAPTOR_OPTION_WWW_CERT_PASSPHRASE ++ RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES, ++ RAPTOR_OPTION_LAST = RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES + } raptor_option; + + +Index: raptor2-2.0.6/src/raptor_libxml.c +=================================================================== +--- raptor2-2.0.6.orig/src/raptor_libxml.c 2013-07-04 11:51:00.419343770 -0400 ++++ raptor2-2.0.6/src/raptor_libxml.c 2013-07-04 12:02:01.039337470 -0400 +@@ -145,16 +145,113 @@ + + static xmlParserInputPtr + raptor_libxml_resolveEntity(void* user_data, +- const xmlChar *publicId, const xmlChar *systemId) { ++ const xmlChar *publicId, const xmlChar *systemId) ++{ + raptor_sax2* sax2 = (raptor_sax2*)user_data; +- return libxml2_resolveEntity(sax2->xc, publicId, systemId); ++ xmlParserCtxtPtr ctxt = sax2->xc; ++ const unsigned char *uri_string = NULL; ++ xmlParserInputPtr entity_input = NULL; ++ int load_entity = 0; ++ ++ if(ctxt->input) ++ uri_string = RAPTOR_GOOD_CAST(const unsigned char *, ctxt->input->filename); ++ ++ if(!uri_string) ++ uri_string = RAPTOR_GOOD_CAST(const unsigned char *, ctxt->directory); ++ ++ load_entity = RAPTOR_OPTIONS_GET_NUMERIC(sax2, RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES); ++ ++ if(load_entity) { ++ entity_input = xmlLoadExternalEntity(RAPTOR_GOOD_CAST(const char*, uri_string), ++ RAPTOR_GOOD_CAST(const char*, publicId), ++ ctxt); ++ } else { ++ RAPTOR_DEBUG4("Not loading entity URI %s by policy for publicId '%s' systemId '%s'\n", uri_string, publicId, systemId); ++ } ++ ++ return entity_input; + } + + + static xmlEntityPtr +-raptor_libxml_getEntity(void* user_data, const xmlChar *name) { ++raptor_libxml_getEntity(void* user_data, const xmlChar *name) ++{ + raptor_sax2* sax2 = (raptor_sax2*)user_data; +- return libxml2_getEntity(sax2->xc, name); ++ xmlParserCtxtPtr xc = sax2->xc; ++ xmlEntityPtr ret = NULL; ++ ++ if(!xc) ++ return NULL; ++ ++ if(!xc->inSubset) { ++ /* looks for hardcoded set of entity names - lt, gt etc. */ ++ ret = xmlGetPredefinedEntity(name); ++ if(ret) { ++ RAPTOR_DEBUG2("Entity '%s' found in predefined set\n", name); ++ return ret; ++ } ++ } ++ ++ /* This section uses xmlGetDocEntity which looks for entities in ++ * memory only, never from a file or URI ++ */ ++ if(xc->myDoc && (xc->myDoc->standalone == 1)) { ++ RAPTOR_DEBUG2("Entity '%s' document is standalone\n", name); ++ /* Document is standalone: no entities are required to interpret doc */ ++ if(xc->inSubset == 2) { ++ xc->myDoc->standalone = 0; ++ ret = xmlGetDocEntity(xc->myDoc, name); ++ xc->myDoc->standalone = 1; ++ } else { ++ ret = xmlGetDocEntity(xc->myDoc, name); ++ if(!ret) { ++ xc->myDoc->standalone = 0; ++ ret = xmlGetDocEntity(xc->myDoc, name); ++ xc->myDoc->standalone = 1; ++ } ++ } ++ } else { ++ ret = xmlGetDocEntity(xc->myDoc, name); ++ } ++ ++ if(ret && !ret->children && ++ (ret->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY)) { ++ /* Entity is an external general parsed entity. It may be in a ++ * catalog file, user file or user URI ++ */ ++ int val = 0; ++ xmlNodePtr children; ++ int load_entity = 0; ++ ++ load_entity = RAPTOR_OPTIONS_GET_NUMERIC(sax2, RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES); ++ ++ if(!load_entity) { ++ RAPTOR_DEBUG2("Not getting entity URI %s by policy\n", ret->URI); ++ children = xmlNewText((const xmlChar*)""); ++ } else { ++ /* Disable SAX2 handlers so that the SAX2 events do not all get ++ * sent to callbacks during dealing with the entity parsing. ++ */ ++ sax2->enabled = 0; ++ val = xmlParseCtxtExternalEntity(xc, ret->URI, ret->ExternalID, &children); ++ sax2->enabled = 1; ++ } ++ ++ if(!val) { ++ xmlAddChildList((xmlNodePtr)ret, children); ++ } else { ++ xc->validate = 0; ++ return NULL; ++ } ++ ++ ret->owner = 1; ++ ++ /* Mark this entity as having been checked - never do this again */ ++ if(!ret->checked) ++ ret->checked = 1; ++ } ++ ++ return ret; + } + + +Index: raptor2-2.0.6/src/raptor_option.c +=================================================================== +--- raptor2-2.0.6.orig/src/raptor_option.c 2013-07-04 11:51:00.419343770 -0400 ++++ raptor2-2.0.6/src/raptor_option.c 2013-07-04 11:51:00.411343770 -0400 +@@ -277,6 +277,12 @@ + RAPTOR_OPTION_VALUE_TYPE_STRING, + "wwwCertPassphrase", + "SSL client certificate passphrase" ++ }, ++ { RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES, ++ (raptor_option_area)(RAPTOR_OPTION_AREA_PARSER | RAPTOR_OPTION_AREA_SAX2), ++ RAPTOR_OPTION_VALUE_TYPE_BOOL, ++ "loadExternalEntities", ++ "Parsers and SAX2 should load external entities." + } + }; + +Index: raptor2-2.0.6/src/raptor_rdfxml.c +=================================================================== +--- raptor2-2.0.6.orig/src/raptor_rdfxml.c 2013-07-04 11:51:00.419343770 -0400 ++++ raptor2-2.0.6/src/raptor_rdfxml.c 2013-07-04 11:51:00.411343770 -0400 +@@ -1001,7 +1001,11 @@ + raptor_sax2_set_option(rdf_xml_parser->sax2, + RAPTOR_OPTION_NO_NET, NULL, + RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_NO_NET)); +- ++ ++ raptor_sax2_set_option(rdf_xml_parser->sax2, ++ RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES, NULL, ++ RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES)); ++ + raptor_sax2_parse_start(rdf_xml_parser->sax2, uri); + + /* Delete any existing id_set */ +Index: raptor2-2.0.6/src/raptor_rss.c +=================================================================== +--- raptor2-2.0.6.orig/src/raptor_rss.c 2013-07-04 11:51:00.419343770 -0400 ++++ raptor2-2.0.6/src/raptor_rss.c 2013-07-04 11:51:00.415343770 -0400 +@@ -249,7 +249,11 @@ + raptor_sax2_set_option(rss_parser->sax2, + RAPTOR_OPTION_NO_NET, NULL, + RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_NO_NET)); +- ++ ++ raptor_sax2_set_option(rss_parser->sax2, ++ RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES, NULL, ++ RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES)); ++ + raptor_sax2_parse_start(rss_parser->sax2, uri); + + return 0; +Index: raptor2-2.0.6/src/raptor_internal.h +=================================================================== +--- raptor2-2.0.6.orig/src/raptor_internal.h 2011-11-12 15:38:22.000000000 -0500 ++++ raptor2-2.0.6/src/raptor_internal.h 2013-07-04 12:01:13.847337920 -0400 +@@ -1122,6 +1122,9 @@ + + /* sax2 init failed - do not try to do anything with it */ + int failed; ++ ++ /* call SAX2 handlers if non-0 */ ++ int enabled; + }; + + int raptor_sax2_init(raptor_world* world); +Index: raptor2-2.0.6/src/raptor_sax2.c +=================================================================== +--- raptor2-2.0.6.orig/src/raptor_sax2.c 2011-11-27 12:36:30.000000000 -0500 ++++ raptor2-2.0.6/src/raptor_sax2.c 2013-07-04 12:01:13.851337920 -0400 +@@ -100,6 +100,8 @@ + sax2->locator = locator; + sax2->user_data = user_data; + ++ sax2->enabled = 1; ++ + raptor_object_options_init(&sax2->options, RAPTOR_OPTION_AREA_SAX2); + + return sax2; +@@ -705,7 +707,7 @@ + unsigned char *xml_language = NULL; + raptor_uri *xml_base = NULL; + +- if(sax2->failed) ++ if(sax2->failed || !sax2->enabled) + return; + + #ifdef RAPTOR_XML_EXPAT +@@ -925,7 +927,7 @@ + raptor_sax2* sax2 = (raptor_sax2*)user_data; + raptor_xml_element* xml_element; + +- if(sax2->failed) ++ if(sax2->failed || !sax2->enabled) + return; + + #ifdef RAPTOR_XML_EXPAT +@@ -963,7 +965,11 @@ + raptor_sax2_characters(void* user_data, const unsigned char *s, int len) + { + raptor_sax2* sax2 = (raptor_sax2*)user_data; +- if(!sax2->failed && sax2->characters_handler) ++ ++ if(sax2->failed || !sax2->enabled) ++ return; ++ ++ if(sax2->characters_handler) + sax2->characters_handler(sax2->user_data, sax2->current_element, s, len); + } + +@@ -973,13 +979,17 @@ + raptor_sax2_cdata(void* user_data, const unsigned char *s, int len) + { + raptor_sax2* sax2 = (raptor_sax2*)user_data; ++ + #ifdef RAPTOR_XML_EXPAT + #ifdef EXPAT_UTF8_BOM_CRASH + sax2->tokens_count++; + #endif + #endif + +- if(!sax2->failed && sax2->cdata_handler) ++ if(sax2->failed || !sax2->enabled) ++ return; ++ ++ if(sax2->cdata_handler) + sax2->cdata_handler(sax2->user_data, sax2->current_element, s, len); + } + +@@ -989,7 +999,11 @@ + raptor_sax2_comment(void* user_data, const unsigned char *s) + { + raptor_sax2* sax2 = (raptor_sax2*)user_data; +- if(!sax2->failed && sax2->comment_handler) ++ ++ if(sax2->failed || !sax2->enabled) ++ return; ++ ++ if(sax2->comment_handler) + sax2->comment_handler(sax2->user_data, sax2->current_element, s); + } + +@@ -1004,7 +1018,11 @@ + const unsigned char* notationName) + { + raptor_sax2* sax2 = (raptor_sax2*)user_data; +- if(!sax2->failed && sax2->unparsed_entity_decl_handler) ++ ++ if(sax2->failed || !sax2->enabled) ++ return; ++ ++ if(sax2->unparsed_entity_decl_handler) + sax2->unparsed_entity_decl_handler(sax2->user_data, + entityName, base, systemId, + publicId, notationName); +@@ -1021,7 +1039,7 @@ + { + raptor_sax2* sax2 = (raptor_sax2*)user_data; + +- if(sax2->failed) ++ if(sax2->failed || !sax2->enabled) + return 0; + + if(sax2->external_entity_ref_handler) diff -Nru raptor2-2.0.6/debian/patches/series raptor2-2.0.6/debian/patches/series --- raptor2-2.0.6/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ raptor2-2.0.6/debian/patches/series 2013-07-04 15:37:48.000000000 +0000 @@ -0,0 +1 @@ +CVE-2012-0037.patch