diff options
| author | Rodrigo Bezerra | 2020-11-22 13:52:14 -0300 |
|---|---|---|
| committer | Rodrigo Bezerra | 2020-11-22 13:52:14 -0300 |
| commit | a14a7a3a16a03f637187bcf36741237832735b1c (patch) | |
| tree | 09db7dc53b1c29dacf430f62531c0899ceb96145 | |
| parent | c5fced3c417d97c9d73df6470561d539a4104278 (diff) | |
| download | aur-a14a7a3a16a03f637187bcf36741237832735b1c.tar.gz | |
Fix CVE-2017-18926
| -rw-r--r-- | .SRCINFO | 24 | ||||
| -rw-r--r-- | PKGBUILD | 51 | ||||
| -rw-r--r-- | raptor-2.0.15-out_of_bounds.patch | 14 |
3 files changed, 75 insertions, 14 deletions
@@ -1,17 +1,33 @@ pkgbase = lib32-raptor pkgdesc = A C library that parses RDF/XML/N-Triples into RDF triples (32 bit) pkgver = 2.0.15 - pkgrel = 8 + pkgrel = 9 url = http://librdf.org/raptor arch = x86_64 - license = LGPL + license = Apache + license = GPL2 + license = LGPL2.1 makedepends = gcc-multilib depends = lib32-curl + depends = lib32-glibc depends = lib32-icu + depends = lib32-libxml2 depends = lib32-libxslt - depends = raptor + depends = lib32-xz + depends = lib32-zlib source = http://librdf.org/dist/source/raptor2-2.0.15.tar.gz - sha256sums = ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed + source = http://librdf.org/dist/source/raptor2-2.0.15.tar.gz.asc + source = raptor-2.0.15-CVE-2017-18926.patch::https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f.patch + source = raptor-2.0.15-out_of_bounds.patch + validpgpkeys = F879F0DEDA780198DD08DC6443EC92504F71955A + sha512sums = 563dd01869eb4df8524ec12e2c0a541653874dcd834bd1eb265bc2943bb616968f624121d4688579cdce11b4f00a8ab53b7099f1a0850e256bb0a2c16ba048ee + sha512sums = SKIP + sha512sums = 203ae75dae8242fb7988a199df8a7337b0660871f5caa6c9098167536ba880ad55765bb60fd4315020f208ed3ae8dc03eb1b91241851410a961a797192ecb969 + sha512sums = 140f90d74fad8cdc6ef7fa14fa655e425552947d57068021362f8ae9efdded8ed31295e9bdd495fe70e646967062e28fa3ecd5831f9902134da5fe0a82607735 + b2sums = 0a39c7b5705bfbf2daa0ca633f79693953b4dfe24c144008d1646a9840a36d4d7ce153b527450647127ec2522047dbd0a6e71f307ee5656951f7e4b610adfd22 + b2sums = SKIP + b2sums = a3f83e34686dfd55ad1c4b9e97f6ae046be31b8224846dfa2b83ba9228cb987c6ebb19f37f48c196fab56a1e1d007d71225ed12acc2188e088b95c7cff5a0beb + b2sums = ab11eeb648bf2cf8ac4ef4bbff4cdb77d1b713ad086268b656c7249363bf5752b535763f9a9fd34be4d72b3ff420cd87ee6970d3da6e24e5e2b067b9dbb9c29e pkgname = lib32-raptor @@ -2,20 +2,46 @@ # Contributor: josephgbr <rafael.f.f1@gmail.com> # Contributor: GordonGR <ntheo1979@gmail.com> +_name=raptor2 +_basename=raptor pkgname=lib32-raptor pkgver=2.0.15 -pkgrel=8 +pkgrel=9 pkgdesc="A C library that parses RDF/XML/N-Triples into RDF triples (32 bit)" arch=('x86_64') url="http://librdf.org/raptor" -depends=('lib32-curl' 'lib32-icu' 'lib32-libxslt' 'raptor') +license=('Apache' 'GPL2' 'LGPL2.1') +depends=( 'lib32-curl' 'lib32-glibc' 'lib32-icu' 'lib32-libxml2' 'lib32-libxslt' 'lib32-xz' 'lib32-zlib') makedepends=('gcc-multilib') -license=('LGPL') -source=("http://librdf.org/dist/source/raptor2-${pkgver}.tar.gz") -sha256sums=('ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed') +source=("http://librdf.org/dist/source/${_name}-$pkgver.tar.gz"{,.asc} + "${_basename}-2.0.15-CVE-2017-18926.patch::https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f.patch" + "${_basename}-2.0.15-out_of_bounds.patch") +sha512sums=('563dd01869eb4df8524ec12e2c0a541653874dcd834bd1eb265bc2943bb616968f624121d4688579cdce11b4f00a8ab53b7099f1a0850e256bb0a2c16ba048ee' + 'SKIP' + '203ae75dae8242fb7988a199df8a7337b0660871f5caa6c9098167536ba880ad55765bb60fd4315020f208ed3ae8dc03eb1b91241851410a961a797192ecb969' + '140f90d74fad8cdc6ef7fa14fa655e425552947d57068021362f8ae9efdded8ed31295e9bdd495fe70e646967062e28fa3ecd5831f9902134da5fe0a82607735') +b2sums=('0a39c7b5705bfbf2daa0ca633f79693953b4dfe24c144008d1646a9840a36d4d7ce153b527450647127ec2522047dbd0a6e71f307ee5656951f7e4b610adfd22' + 'SKIP' + 'a3f83e34686dfd55ad1c4b9e97f6ae046be31b8224846dfa2b83ba9228cb987c6ebb19f37f48c196fab56a1e1d007d71225ed12acc2188e088b95c7cff5a0beb' + 'ab11eeb648bf2cf8ac4ef4bbff4cdb77d1b713ad086268b656c7249363bf5752b535763f9a9fd34be4d72b3ff420cd87ee6970d3da6e24e5e2b067b9dbb9c29e') +validpgpkeys=('F879F0DEDA780198DD08DC6443EC92504F71955A') # Dave Beckett <dave@dajobe.org> + +prepare() { + mv -v "${_name}-${pkgver}" "${_basename}-${pkgver}" + + cd "${_basename}-${pkgver}" + + # fix CVE-2017-18926: + # https://bugs.archlinux.org/task/68613 + patch -Np1 -i "../${_basename}-2.0.15-CVE-2017-18926.patch" + + # fix out-of-bounds read: + # https://bugs.librdf.org/mantis/view.php?id=650 + patch -Np1 -i "../${_basename}-2.0.15-out_of_bounds.patch" +} build() { - cd "raptor2-${pkgver}" + cd "${_basename}-${pkgver}" export CC='gcc -m32' export CXX='g++ -m32' @@ -23,17 +49,22 @@ build() { ./configure \ --build=i686-pc-linux-gnu \ - --prefix=/usr \ - --libdir=/usr/lib32 \ + --prefix='/usr' \ + --libdir='/usr/lib32' \ --disable-static \ - --with-yajl=no \ --with-icu-config=/usr/bin/icu-config-32 make } +check() { + cd "${_basename}-${pkgver}" + + make check || echo "Known to fail." +} + package() { - cd "raptor2-${pkgver}" + cd "${_basename}-${pkgver}" make prefix="${pkgdir}"/usr libdir="${pkgdir}"/usr/lib32 install diff --git a/raptor-2.0.15-out_of_bounds.patch b/raptor-2.0.15-out_of_bounds.patch new file mode 100644 index 000000000000..04106dc9a70e --- /dev/null +++ b/raptor-2.0.15-out_of_bounds.patch @@ -0,0 +1,14 @@ +diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c +index 56993dc3..163f34d5 100644 +--- a/src/raptor_xml_writer.c ++++ b/src/raptor_xml_writer.c +@@ -216,6 +216,9 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer, + + if(nstack && element->attributes) { + for(i = 0; i < element->attribute_count; i++) { ++ if (nspace_declarations_count > element->attribute_count) ++ goto error; ++ + /* qname */ + if(element->attributes[i]->nspace) { + /* Check if we need a namespace declaration attribute */ |