Bug 1178903 (CVE-2020-25713) - VUL-0: CVE-2020-25713: raptor: OOB array access
Summary: VUL-0: CVE-2020-25713: raptor: OOB array access
Status: RESOLVED FIXED
Alias: CVE-2020-25713
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/271750/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25713:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-17 15:48 UTC by Wolfgang Frisch
Modified: 2024-05-09 19:26 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-11-17 15:48:33 UTC 
CVE-2020-25713

via oss-security: 

FWIW I recently tried to fuzz raptor again with the fix applied. I
quickly found another OOB issue
https://bugs.librdf.org/mantis/view.php?id=650

From the bug report:

A malformed input file can lead to a segfault due to an out of bounds
array access in raptor_xml_writer_start_element_common.

Bug happens in line 230 of raptor_xml_writer.c (current git):
https://github.com/dajobe/raptor/blob/master/src/raptor_xml_writer.c#L230

From looking at that code it seems to me it always expects
nspace_declarations_count to be lower than element->attribute_count,
however this input seems to create a different situation. I made an
attempt at a patch that throws an error in this situation (but please
review it, I am not familiar with what this code does and should do -
though the patch doesn't seem to introduce test failures).

References:
http://seclists.org/oss-sec/2020/q4/128
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25713

See also:
https://bugzilla.suse.com/show_bug.cgi?id=1178593
Comment 1 Wolfgang Frisch 2021-01-28 20:26:50 UTC 
SUSE:SLE-11:Update      raptor       Affected
SUSE:SLE-12:Update      raptor       Affected
SUSE:SLE-15:Update      raptor       Affected
SUSE:SLE-15-SP2:Update  raptor       Affected

CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch:
https://bugs.librdf.org/mantis/file_download.php?file_id=350&type=bug
Comment 9 Swamp Workflow Management 2022-08-25 13:16:14 UTC 
SUSE-SU-2022:2896-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1178903
CVE References: CVE-2020-25713
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    raptor-2.0.15-150200.9.12.1
openSUSE Leap 15.3 (src):    raptor-2.0.15-150200.9.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    raptor-2.0.15-150200.9.12.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    raptor-2.0.15-150200.9.12.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    raptor-2.0.15-150200.9.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-08-25 13:17:31 UTC 
SUSE-SU-2022:2895-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1178903
CVE References: CVE-2020-25713
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    raptor-2.0.15-5.6.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    raptor-2.0.15-5.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    raptor-2.0.15-5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.