Bug#677427: raptor: Fix for CVE-2012-0037 no applied during build

Jamie Strandboge Wed, 13 Jun 2012 14:33:19 -0700

Package: raptor
Version: 1.4.21-7
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch


Dear Maintainer,

While 1.4.21-7 claims to fix CVE-2012-0037, it does not because
debian/patches/series was not updated. Attached is a patch to:
 * update the series file
 * update raptor-1.4.21-cve.patch to apply cleanly with 02-fix-639065
   applied first
 * adjust raptor-1.4.21-cve.patch to initialize entity_input to NULL to
   fix a compiler warning when compiling with -Wuninitialized.

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru raptor-1.4.21/debian/changelog raptor-1.4.21/debian/changelog
diff -Nru raptor-1.4.21/debian/control raptor-1.4.21/debian/control
--- raptor-1.4.21/debian/control	2012-03-23 00:24:07.000000000 -0500
+++ raptor-1.4.21/debian/control	2012-06-13 15:31:13.000000000 -0500
@@ -1,7 +1,8 @@
 Source: raptor
 Section: devel
 Priority: optional
-Maintainer: Dave Beckett <daj...@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
+XSBC-Original-Maintainer: Dave Beckett <daj...@debian.org>
 Build-Depends: debhelper (>> 5), autotools-dev, cdbs, libtool (>= 1.5), libxml2-dev (>= 2.5.10), libcurl4-gnutls-dev, libxslt1-dev (>= 1.0.18)
 Standards-Version: 3.9.3
 Homepage: http://librdf.org/raptor/
diff -Nru raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch
--- raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch	2012-02-22 15:53:42.000000000 -0600
+++ raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch	2012-06-13 15:36:42.000000000 -0500
@@ -1,6 +1,7 @@
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor.h raptor-1.4.21/src/raptor.h
---- raptor-1.4.21.orig/src/raptor.h	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor.h	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor.h
+===================================================================
+--- raptor-1.4.21.orig/src/raptor.h	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor.h	2012-06-13 15:24:20.000000000 -0500
 @@ -407,6 +407,7 @@
   * @RAPTOR_FEATURE_RSS_TRIPLES: Atom/RSS serializer writes extra RDF triples it finds (none, rdf-xml, atom-triples)
   * @RAPTOR_FEATURE_ATOM_ENTRY_URI: Atom entry URI.  If given, generate an Atom Entry Document with the item having the given URI, otherwise generate an Atom Feed Document with any items found.
@@ -19,9 +20,10 @@
  } raptor_feature;
  
  
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_feature.c raptor-1.4.21/src/raptor_feature.c
---- raptor-1.4.21.orig/src/raptor_feature.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_feature.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_feature.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_feature.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_feature.c	2012-06-13 15:24:20.000000000 -0500
 @@ -93,7 +93,8 @@
    { RAPTOR_FEATURE_JSON_EXTRA_DATA   , 6,  "jsonExtraData", "JSON serializer extra data" },
    { RAPTOR_FEATURE_RSS_TRIPLES       , 6,  "rssTriples", "Atom/RSS serializer writes extra RDF triples" },
@@ -32,18 +34,11 @@
  };
  
  
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_internal.h raptor-1.4.21/src/raptor_internal.h
---- raptor-1.4.21.orig/src/raptor_internal.h	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_internal.h	2012-02-04 15:30:55.000000000 -0800
-@@ -852,7 +852,6 @@
- 
- #ifdef RAPTOR_WWW_LIBCURL
- #include <curl/curl.h>
--#include <curl/types.h>
- #include <curl/easy.h>
- #endif
- 
-@@ -1060,6 +1059,14 @@
+Index: raptor-1.4.21/src/raptor_internal.h
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_internal.h	2012-06-13 15:24:20.000000000 -0500
++++ raptor-1.4.21/src/raptor_internal.h	2012-06-13 15:25:58.000000000 -0500
+@@ -1058,6 +1058,14 @@
  
    /* sax2 init failed - do not try to do anything with it */
    int failed;
@@ -58,9 +53,10 @@
  };
  
  int raptor_sax2_init(raptor_world* world);
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_libxml.c raptor-1.4.21/src/raptor_libxml.c
---- raptor-1.4.21.orig/src/raptor_libxml.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_libxml.c	2012-02-22 12:29:38.000000000 -0800
+Index: raptor-1.4.21/src/raptor_libxml.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_libxml.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_libxml.c	2012-06-13 15:24:20.000000000 -0500
 @@ -142,18 +142,120 @@
  
  static xmlParserInputPtr
@@ -73,7 +69,7 @@
 +  raptor_sax2* sax2 = (raptor_sax2*)user_data;
 +  xmlParserCtxtPtr ctxt = sax2->xc;
 +  const unsigned char *uri_string = NULL;
-+  xmlParserInputPtr entity_input;
++  xmlParserInputPtr entity_input = NULL;
 +  int load_entity = 0;
 +
 +  if(!ctxt)
@@ -189,9 +185,10 @@
  
  static xmlEntityPtr
  raptor_libxml_getParameterEntity(void* user_data, const xmlChar *name) {
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_parse.c raptor-1.4.21/src/raptor_parse.c
---- raptor-1.4.21.orig/src/raptor_parse.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_parse.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_parse.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_parse.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_parse.c	2012-06-13 15:24:20.000000000 -0500
 @@ -1443,6 +1443,7 @@
      case RAPTOR_FEATURE_MICROFORMATS:
      case RAPTOR_FEATURE_HTML_LINK:
@@ -208,9 +205,10 @@
        result = parser->features[(int)feature];
        break;
  
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_rdfxml.c raptor-1.4.21/src/raptor_rdfxml.c
---- raptor-1.4.21.orig/src/raptor_rdfxml.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_rdfxml.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_rdfxml.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_rdfxml.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_rdfxml.c	2012-06-13 15:24:20.000000000 -0500
 @@ -1130,6 +1130,9 @@
    raptor_sax2_set_feature(rdf_xml_parser->sax2, 
                            RAPTOR_FEATURE_NO_NET,
@@ -221,9 +219,10 @@
    
    raptor_sax2_parse_start(rdf_xml_parser->sax2, uri);
  
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_rss.c raptor-1.4.21/src/raptor_rss.c
---- raptor-1.4.21.orig/src/raptor_rss.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_rss.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_rss.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_rss.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_rss.c	2012-06-13 15:24:20.000000000 -0500
 @@ -247,6 +247,9 @@
    raptor_sax2_set_feature(rss_parser->sax2, 
                            RAPTOR_FEATURE_NO_NET,
@@ -234,9 +233,10 @@
    
    raptor_sax2_parse_start(rss_parser->sax2, uri);
  
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_sax2.c raptor-1.4.21/src/raptor_sax2.c
---- raptor-1.4.21.orig/src/raptor_sax2.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_sax2.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_sax2.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_sax2.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_sax2.c	2012-06-13 15:24:20.000000000 -0500
 @@ -106,6 +106,8 @@
  
    sax2->user_data=user_data;
@@ -335,9 +335,10 @@
      return 0;
  
    if(sax2->external_entity_ref_handler)
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_serialize.c raptor-1.4.21/src/raptor_serialize.c
---- raptor-1.4.21.orig/src/raptor_serialize.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_serialize.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_serialize.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_serialize.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_serialize.c	2012-06-13 15:24:20.000000000 -0500
 @@ -974,6 +974,7 @@
  
      /* Shared */
@@ -370,9 +371,10 @@
  
      /* XML writer features */
      case RAPTOR_FEATURE_WRITER_AUTO_INDENT:
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_turtle_writer.c raptor-1.4.21/src/raptor_turtle_writer.c
---- raptor-1.4.21.orig/src/raptor_turtle_writer.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_turtle_writer.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_turtle_writer.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_turtle_writer.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_turtle_writer.c	2012-06-13 15:24:20.000000000 -0500
 @@ -740,6 +740,7 @@
  
      /* Shared */
@@ -389,9 +391,10 @@
  
      /* XML writer features */
      case RAPTOR_FEATURE_RELATIVE_URIS:
-diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_xml_writer.c raptor-1.4.21/src/raptor_xml_writer.c
---- raptor-1.4.21.orig/src/raptor_xml_writer.c	2010-01-29 15:54:42.000000000 -0800
-+++ raptor-1.4.21/src/raptor_xml_writer.c	2012-02-04 15:29:56.000000000 -0800
+Index: raptor-1.4.21/src/raptor_xml_writer.c
+===================================================================
+--- raptor-1.4.21.orig/src/raptor_xml_writer.c	2010-01-29 17:54:42.000000000 -0600
++++ raptor-1.4.21/src/raptor_xml_writer.c	2012-06-13 15:24:20.000000000 -0500
 @@ -973,6 +973,7 @@
  
      /* Shared */
diff -Nru raptor-1.4.21/debian/patches/series raptor-1.4.21/debian/patches/series
--- raptor-1.4.21/debian/patches/series	2011-08-26 09:54:12.000000000 -0500
+++ raptor-1.4.21/debian/patches/series	2012-06-13 15:31:13.000000000 -0500
@@ -1,2 +1,3 @@
 01-write_bytes.patch
 02-fix-639065
+raptor-1.4.21-cve.patch

Bug#677427: raptor: Fix for CVE-2012-0037 no applied during build

Reply via email to