New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
librdf_raptor2: add patch for CVE-2017-18926 #103134
Conversation
Fixes two heap overflows in the raptor2 rdf parsing library. https://www.openwall.com/lists/oss-security/2017/06/07/1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Builds for me.
Also this is the CVE page: https://nvd.nist.gov/vuln/detail/CVE-2017-18926
Was somewhat difficult to find a chain of links from that CVE page to the patch, but I found it. So I'm certain that this patch fixes the issue.
I found the patch via https://security-tracker.debian.org/tracker/CVE-2017-18926. |
Backports: I also asked the author to link the patch on the CVE page. |
And just today on |
Yeah I actually got to this issue because I read a german article from Hanno Böck where he was ranting about the problem ^^ |
I'm a bit saddend by the following statement
What else is there to go on really? But sure, maybe this is a discussion to be had. |
Yeah that's somewhat depressing analysis. Don't think there is a better identification mechanism as CVEs atm in this heterogenous ecosystem… |
Motivation for this change
Fixes two heap overflows in the raptor2 rdf parsing library.
https://www.openwall.com/lists/oss-security/2017/06/07/1
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)