[arch-commits] Commit in raptor/trunk (PKGBUILD raptor-2.0.15-out_of_bounds.patch)

David Runge dvzrv at archlinux.org
Fri Nov 13 19:26:44 UTC 2020 

    Date: Friday, November 13, 2020 @ 19:26:44
  Author: dvzrv
Revision: 400763

upgpkg: raptor 2.0.15-14: Rebuild to fix CVE-2017-18926.

Switch to correct list of licenses (Apache, GPL2, LGPL2.1).
Add all available sodeps in package() and the respective packages to makedepends.
Add libraptor2.so to provides.
Apply upstreamed patch to fix CVE-2017-18926 (FS#68613).
Apply patch to fix out-of-bounds read.
Remove unused configure flag.
Run check() but do not fail on running tests (known problems with test suite).
Install docs.
Update maintainer info.

Added:
  raptor/trunk/raptor-2.0.15-out_of_bounds.patch
Modified:
  raptor/trunk/PKGBUILD

-----------------------------------+
 PKGBUILD                          |   59 ++++++++++++++++++++++++++----------
 raptor-2.0.15-out_of_bounds.patch |   14 ++++++++
 2 files changed, 57 insertions(+), 16 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-11-13 17:59:01 UTC (rev 400762)
+++ PKGBUILD	2020-11-13 19:26:44 UTC (rev 400763)
@@ -1,36 +1,63 @@
-# Maintainer: Tom Gundersen <teg at jklm.no>
+# Maintainer: David Runge <dvzrv at archlinux.org>
+# Contributor: Tom Gundersen <teg at jklm.no>
 # Contributor: Andreas Radke <andyrtr at archlinux.org>
 # Contributor: eric <eric at archlinux.org>
 # Contributor: Damir Perisa <damir.perisa at bluewin.ch>
 
+_name=raptor2
 pkgname=raptor
 pkgver=2.0.15
-pkgrel=13
+pkgrel=14
 pkgdesc="A C library that parses RDF/XML/N-Triples into RDF triples"
 arch=('x86_64')
 url="http://librdf.org/raptor"
-depends=('curl' 'libxslt' 'icu')
-license=('LGPL')
-source=("http://librdf.org/dist/source/raptor2-$pkgver.tar.gz"{,.asc})
-sha256sums=('ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed'
-            'SKIP')
+license=('Apache' 'GPL2' 'LGPL2.1')
+depends=('glibc' 'libxml2' 'libxslt' 'xz' 'zlib')
+makedepends=('curl' 'icu')
+provides=('libraptor2.so')
+source=("http://librdf.org/dist/source/${_name}-$pkgver.tar.gz"{,.asc}
+        "${pkgname}-2.0.15-CVE-2017-18926.patch::https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f.patch"
+        "${pkgname}-2.0.15-out_of_bounds.patch")
+sha512sums=('563dd01869eb4df8524ec12e2c0a541653874dcd834bd1eb265bc2943bb616968f624121d4688579cdce11b4f00a8ab53b7099f1a0850e256bb0a2c16ba048ee'
+            'SKIP'
+            '203ae75dae8242fb7988a199df8a7337b0660871f5caa6c9098167536ba880ad55765bb60fd4315020f208ed3ae8dc03eb1b91241851410a961a797192ecb969'
+            '140f90d74fad8cdc6ef7fa14fa655e425552947d57068021362f8ae9efdded8ed31295e9bdd495fe70e646967062e28fa3ecd5831f9902134da5fe0a82607735')
+b2sums=('0a39c7b5705bfbf2daa0ca633f79693953b4dfe24c144008d1646a9840a36d4d7ce153b527450647127ec2522047dbd0a6e71f307ee5656951f7e4b610adfd22'
+        'SKIP'
+        'a3f83e34686dfd55ad1c4b9e97f6ae046be31b8224846dfa2b83ba9228cb987c6ebb19f37f48c196fab56a1e1d007d71225ed12acc2188e088b95c7cff5a0beb'
+        'ab11eeb648bf2cf8ac4ef4bbff4cdb77d1b713ad086268b656c7249363bf5752b535763f9a9fd34be4d72b3ff420cd87ee6970d3da6e24e5e2b067b9dbb9c29e')
 validpgpkeys=('F879F0DEDA780198DD08DC6443EC92504F71955A') # Dave Beckett <dave at dajobe.org>
 
+prepare() {
+  mv -v "${_name}-${pkgver}" "${pkgname}-${pkgver}"
+  cd "${pkgname}-${pkgver}"
+  # fix CVE-2017-18926:
+  # https://bugs.archlinux.org/task/68613
+  patch -Np1 -i "../${pkgname}-2.0.15-CVE-2017-18926.patch"
+  # fix out-of-bounds read:
+  # https://bugs.librdf.org/mantis/view.php?id=650
+  patch -Np1 -i "../${pkgname}-2.0.15-out_of_bounds.patch"
+  # autoreconf -vfi
+}
+
 build() {
-  cd raptor2-${pkgver}
+  cd "${pkgname}-${pkgver}"
 
-  ./configure --prefix=/usr \
-    --disable-static \
-    --with-yajl=no \
-    --with-icu-config=/usr/bin/icu-config
+  ./configure --prefix='/usr' \
+              --disable-static \
+              --with-icu-config='/usr/bin/icu-config'
   make
 }
 
-#check() {
-#	make -C "raptor2-$pkgver" check // currently does not work
-#}
+check() {
+  cd "${pkgname}-${pkgver}"
+  make check || echo "Known to fail."
+}
 
 package() {
-  cd raptor2-${pkgver}
+  depends+=('libcurl.so' 'libicudata.so' 'libicui18n.so' 'libicuuc.so')
+  cd "${pkgname}-${pkgver}"
   make prefix="${pkgdir}"/usr install
+  install -vDm 644 {AUTHORS,ChangeLog*,README} \
+    -t "${pkgdir}/usr/share/doc/${pkgname}/"
 }

Added: raptor-2.0.15-out_of_bounds.patch
===================================================================
--- raptor-2.0.15-out_of_bounds.patch	                        (rev 0)
+++ raptor-2.0.15-out_of_bounds.patch	2020-11-13 19:26:44 UTC (rev 400763)
@@ -0,0 +1,14 @@
+diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
+index 56993dc3..163f34d5 100644
+--- a/src/raptor_xml_writer.c
++++ b/src/raptor_xml_writer.c
+@@ -216,6 +216,9 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
+ 
+   if(nstack && element->attributes) {
+     for(i = 0; i < element->attribute_count; i++) {
++      if (nspace_declarations_count > element->attribute_count)
++        goto error;
++
+       /* qname */
+       if(element->attributes[i]->nspace) {
+         /* Check if we need a namespace declaration attribute */

More information about the arch-commits mailing list