Sync from SUSE:SLFO:Main graphviz revision 5e06e215427194a40d29f636f27e6ece

graphviz-rpmlintrc

@@ -1,6 +1,4 @@
 # This line is mandatory to access the configuration functions
 from Config import *
 
-addFilter("graphviz-tcl.* devel-file-in-non-devel-package")
 addFilter("lib.* obsolete-not-provided libgraphviz6")
-addFilter("liblab_gamut.* shared-library-without-dependency-information")

graphviz.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Thu Mar  7 14:57:35 UTC 2024 - Thomas Renninger <trenn@suse.de>
+
+- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file
+  bsc#1219491
+A gvc-detect-plugin-installation-failure-and-display-an-error.patch
+- Some alphabetical re-ordering and other spec file changes which should
+  not have any functional change which came from some kind of auto-spec
+  cleaner
+
+-------------------------------------------------------------------
+Thu Feb 22 07:45:53 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Use %patch -P N instead of deprecated %patchN.
+- Update graphviz-rpmlintrc
+
+-------------------------------------------------------------------
+Tue Nov 28 10:23:46 UTC 2023 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Require bitstream-vera-fonts for correct .png rendering by doxygen+dot
+
 -------------------------------------------------------------------
 Wed Mar  1 23:16:17 UTC 2023 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
 

graphviz.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package graphviz
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,43 +17,32 @@
 
 
 %global flavor @BUILD_FLAVOR@%{nil}
-
 %if "%{flavor}" != ""
 %define psuffix -%{flavor}
 %else
 %define psuffix %{nil}
 %endif
-
 #fixes build failure caused by new .debug files, not sure how to fix correctly
-
 %define mname graphviz
 # name of the plugin config file that dot creates
 %define config_file config6
-# Java and ocaml are not in ring1, thus this gets overriden in staging
-# Also, both install into generic locations instead of a language
-# specific prefix, disable both
-%bcond_with    java
-%bcond_with    ocaml
 %if "%{flavor}" == "addons"
+%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
+%define phpext_dir  %(%{__php_config} --extension-dir)
+%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc)
 # PHP8 requires swig >= 4.1.0, https://github.com/swig/swig/commit/56d74355735f3661406d69d04d89d1bdb4ca96f9
 %if 0%{?suse_version} >= 1599
 %define php_version 8
 %else
 %define php_version 7
 %endif
-%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
-%define phpext_dir  %(%{__php_config} --extension-dir)
-
-%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc)
 %endif
-
 # No pkgconfig(gts) in sle12 GA or SPx, but in sle15
 %if 0%{?suse_version} == 1315 && !0%{?is_opensuse}
 %bcond_with    gts
 %else
 %bcond_without gts
 %endif
-
 %define cdt_soversion 5
 %define cgraph_soversion 6
 %define gvc_soversion 6
@@ -61,7 +50,11 @@
 %define lab_gamut_soversion 1
 %define pathplan_soversion 4
 %define xdot_soversion 4
-
+# Java and ocaml are not in ring1, thus this gets overriden in staging
+# Also, both install into generic locations instead of a language
+# specific prefix, disable both
+%bcond_with    java
+%bcond_with    ocaml
 Name:           graphviz%{psuffix}
 Version:        2.49.3
 Release:        0
@@ -83,7 +76,8 @@ Patch5:         graphviz-no_strict_aliasing.patch
 Patch6:         graphviz-no_php_extra_libs.patch
 # https://gitlab.com/graphviz/graphviz/-/issues/2303
 Patch7:         swig-4.1.0.patch
-
+#PATCH-FIX-UPSTREAM gvc: detect plugin installation failure and display an error
+Patch8:         gvc-detect-plugin-installation-failure-and-display-an-error.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -96,12 +90,13 @@ BuildRequires:  libstdc++-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(expat)
+BuildRequires:  pkgconfig(zlib)
+Requires:       bitstream-vera-fonts
+Requires:       graphviz-plugins-core = %{version}
+Recommends:     graphviz-gd = %{version}
 %if %{with gts}
 BuildRequires:  pkgconfig(gts)
 %endif
-BuildRequires:  pkgconfig(zlib)
-Requires:       graphviz-plugins-core = %{version}
-Recommends:     graphviz-gd = %{version}
 %if "%{flavor}" == "addons"
 BuildRequires:  freeglut-devel
 BuildRequires:  ghostscript
@@ -109,13 +104,6 @@ BuildRequires:  libjpeg-devel
 BuildRequires:  libpng-devel
 BuildRequires:  libwebp-devel
 BuildRequires:  perl
-%if %{php_version} == 8
-BuildRequires:  php8-devel
-BuildRequires:  swig >= 4.1.0
-%else
-BuildRequires:  php7-devel
-BuildRequires:  swig >= 3.0.11
-%endif
 BuildRequires:  ruby-devel
 BuildRequires:  pkgconfig(cairo)
 BuildRequires:  pkgconfig(fontconfig)
@@ -136,6 +124,13 @@ BuildRequires:  pkgconfig(tcl)
 BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xaw7)
 BuildRequires:  pkgconfig(xext)
+%if %{php_version} == 8
+BuildRequires:  php8-devel
+BuildRequires:  swig >= 4.1.0
+%else
+BuildRequires:  php7-devel
+BuildRequires:  swig >= 3.0.11
+%endif
 %if %{with java}
 BuildRequires:  java-devel >= 1.6.0
 %endif
@@ -175,7 +170,7 @@ Experimental large graph viewer using graphviz
 Summary:        Graphviz plugins that use gtk/GNOME
 Group:          Productivity/Graphics/Visualization/Graph
 Requires(post): graphviz = %{version}
-Supplements:    packageand(graphviz:xorg-x11-fonts-core)
+Supplements:    (graphviz and xorg-x11-fonts-core)
 
 %description -n graphviz-gnome
 Graphviz plugins that use gtk/GNOME.
@@ -405,14 +400,15 @@ programs that use the graphviz libraries including man3 pages.
 %prep
 #autosetup breaks graphviz-addons
 %setup -q -n %{mname}-%{version}
-%patch0
-%patch1
-%patch2
-%patch3
-%patch4
-%patch5 -p1
-%patch6
-%patch7 -p1
+%patch -P 0
+%patch -P 1
+%patch -P 2
+%patch -P 3
+%patch -P 4
+%patch -P 5 -p1
+%patch -P 6
+%patch -P 7 -p1
+%patch -P 8 -p1
 
 # pkg-config returns 0 (TRUE) when guile-2.2 is present
 if pkg-config --atleast-version=2.2 guile-2.2; then

gvc-detect-plugin-installation-failure-and-display-an-error.patch

@@ -0,0 +1,31 @@
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Subject: gvc: detect plugin installation failure and display an error
+References: bsc#1219491
+Patch-Mainline: 10.0.1
+Git-commit: a95f977f5d809915ec4b14836d2b5b7f5e74881e
+Git-repo: git@gitlab.com:graphviz/graphviz.git.git
+
+Gitlab: fixes #2441
+Reported-by: GJDuck
+
+A malformed config6 file that leads to plugin search failing no longer causes
+out-of-bounds memory reads. This now causes an error message and graceful
+failure. #2441
+
+
+Signed-off-by:  <trenn@suse.com>
+Index: graphviz-2.49.3/lib/gvc/gvconfig.c
+===================================================================
+--- graphviz-2.49.3.orig/lib/gvc/gvconfig.c
++++ graphviz-2.49.3/lib/gvc/gvconfig.c
+@@ -183,6 +183,10 @@ static int gvconfig_plugin_install_from_
+ 	do {
+ 	    api = token(&nest, &s);
+ 	    gv_api = gvplugin_api(api);
++	    if (gv_api == (api_t)-1) {
++		agerr(AGERR, "config error: %s %s not found\n", path, api);
++		return 0;
++	    }
+ 	    do {
+ 		if (nest == 2) {
+ 		    type = token(&nest, &s);