Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822
Pick the patch mentioned in the related github issue[1]. The issue contains fixes for 2 issues, but only the second patch is related to this vulnerability. [1]: https://github.com/dajobe/raptor/issues/70 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../raptor2/files/CVE-2024-57823.patch | 29 +++++++++++++++++++ .../recipes-support/raptor2/raptor2_2.0.15.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-oe/recipes-support/raptor2/files/CVE-2024-57823.patch diff --git a/meta-oe/recipes-support/raptor2/files/CVE-2024-57823.patch b/meta-oe/recipes-support/raptor2/files/CVE-2024-57823.patch new file mode 100644 index 0000000000..8e5a03379c --- /dev/null +++ b/meta-oe/recipes-support/raptor2/files/CVE-2024-57823.patch @@ -0,0 +1,29 @@ +From 8071a8c4f379831d2c975e04a3197d13ec4d44a3 Mon Sep 17 00:00:00 2001 +From: Dave Beckett <[email protected]> +Date: Fri, 7 Feb 2025 11:38:34 -0800 +Subject: [PATCH] Fix Github issue 70 B) Heap read buffer overflow in ntriples + bnode + +(raptor_ntriples_parse_term_internal): Only allow looking at the last +character of a bnode ID only if bnode length >0 + +CVE: CVE-2024-57823 +Upstream-Status: Backport [https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/raptor_ntriples.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/raptor_ntriples.c b/src/raptor_ntriples.c +index 60fd3aa..c44f8c4 100644 +--- a/src/raptor_ntriples.c ++++ b/src/raptor_ntriples.c +@@ -208,7 +208,7 @@ raptor_ntriples_parse_term_internal(raptor_world* world, + locator->column--; + locator->byte--; + } +- if(term_class == RAPTOR_TERM_CLASS_BNODEID && dest[-1] == '.') { ++ if(term_class == RAPTOR_TERM_CLASS_BNODEID && position > 0 && dest[-1] == '.') { + /* If bnode id ended on '.' move back one */ + dest--; + diff --git a/meta-oe/recipes-support/raptor2/raptor2_2.0.15.bb b/meta-oe/recipes-support/raptor2/raptor2_2.0.15.bb index d110b8475f..422326d2b6 100644 --- a/meta-oe/recipes-support/raptor2/raptor2_2.0.15.bb +++ b/meta-oe/recipes-support/raptor2/raptor2_2.0.15.bb @@ -14,6 +14,7 @@ SRC_URI = "http://download.librdf.org/source/${BPN}-${PV}.tar.gz \ file://CVE-2017-18926.patch \ file://CVE-2020-25713.patch \ file://CVE-2024-57822.patch \ + file://CVE-2024-57823.patch \ " SRC_URI[md5sum] = "a39f6c07ddb20d7dd2ff1f95fa21e2cd" SRC_URI[sha256sum] = "ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123380): https://lists.openembedded.org/g/openembedded-devel/message/123380 Mute This Topic: https://lists.openembedded.org/mt/117221610/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
