diff --git a/graphviz-rpmlintrc b/graphviz-rpmlintrc index 2c426e6..812fe07 100644 --- a/graphviz-rpmlintrc +++ b/graphviz-rpmlintrc @@ -1,6 +1,4 @@ # This line is mandatory to access the configuration functions from Config import * -addFilter("graphviz-tcl.* devel-file-in-non-devel-package") addFilter("lib.* obsolete-not-provided libgraphviz6") -addFilter("liblab_gamut.* shared-library-without-dependency-information") diff --git a/graphviz.changes b/graphviz.changes index 7a34fb0..cc6c7c6 100644 --- a/graphviz.changes +++ b/graphviz.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Thu Mar 7 14:57:35 UTC 2024 - Thomas Renninger + +- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file + bsc#1219491 +A gvc-detect-plugin-installation-failure-and-display-an-error.patch +- Some alphabetical re-ordering and other spec file changes which should + not have any functional change which came from some kind of auto-spec + cleaner + +------------------------------------------------------------------- +Thu Feb 22 07:45:53 UTC 2024 - Michael Vetter + +- Use %patch -P N instead of deprecated %patchN. +- Update graphviz-rpmlintrc + +------------------------------------------------------------------- +Tue Nov 28 10:23:46 UTC 2023 - Bernhard Wiedemann + +- Require bitstream-vera-fonts for correct .png rendering by doxygen+dot + ------------------------------------------------------------------- Wed Mar 1 23:16:17 UTC 2023 - Stefan BrĂ¼ns diff --git a/graphviz.spec b/graphviz.spec index cf22e8a..bb9cc91 100644 --- a/graphviz.spec +++ b/graphviz.spec @@ -1,7 +1,7 @@ # # spec file for package graphviz # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,43 +17,32 @@ %global flavor @BUILD_FLAVOR@%{nil} - %if "%{flavor}" != "" %define psuffix -%{flavor} %else %define psuffix %{nil} %endif - #fixes build failure caused by new .debug files, not sure how to fix correctly - %define mname graphviz # name of the plugin config file that dot creates %define config_file config6 -# Java and ocaml are not in ring1, thus this gets overriden in staging -# Also, both install into generic locations instead of a language -# specific prefix, disable both -%bcond_with java -%bcond_with ocaml %if "%{flavor}" == "addons" +%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d +%define phpext_dir %(%{__php_config} --extension-dir) +%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc) # PHP8 requires swig >= 4.1.0, https://github.com/swig/swig/commit/56d74355735f3661406d69d04d89d1bdb4ca96f9 %if 0%{?suse_version} >= 1599 %define php_version 8 %else %define php_version 7 %endif -%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d -%define phpext_dir %(%{__php_config} --extension-dir) - -%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc) %endif - # No pkgconfig(gts) in sle12 GA or SPx, but in sle15 %if 0%{?suse_version} == 1315 && !0%{?is_opensuse} %bcond_with gts %else %bcond_without gts %endif - %define cdt_soversion 5 %define cgraph_soversion 6 %define gvc_soversion 6 @@ -61,7 +50,11 @@ %define lab_gamut_soversion 1 %define pathplan_soversion 4 %define xdot_soversion 4 - +# Java and ocaml are not in ring1, thus this gets overriden in staging +# Also, both install into generic locations instead of a language +# specific prefix, disable both +%bcond_with java +%bcond_with ocaml Name: graphviz%{psuffix} Version: 2.49.3 Release: 0 @@ -83,7 +76,8 @@ Patch5: graphviz-no_strict_aliasing.patch Patch6: graphviz-no_php_extra_libs.patch # https://gitlab.com/graphviz/graphviz/-/issues/2303 Patch7: swig-4.1.0.patch - +#PATCH-FIX-UPSTREAM gvc: detect plugin installation failure and display an error +Patch8: gvc-detect-plugin-installation-failure-and-display-an-error.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -96,12 +90,13 @@ BuildRequires: libstdc++-devel BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(expat) +BuildRequires: pkgconfig(zlib) +Requires: bitstream-vera-fonts +Requires: graphviz-plugins-core = %{version} +Recommends: graphviz-gd = %{version} %if %{with gts} BuildRequires: pkgconfig(gts) %endif -BuildRequires: pkgconfig(zlib) -Requires: graphviz-plugins-core = %{version} -Recommends: graphviz-gd = %{version} %if "%{flavor}" == "addons" BuildRequires: freeglut-devel BuildRequires: ghostscript @@ -109,13 +104,6 @@ BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: libwebp-devel BuildRequires: perl -%if %{php_version} == 8 -BuildRequires: php8-devel -BuildRequires: swig >= 4.1.0 -%else -BuildRequires: php7-devel -BuildRequires: swig >= 3.0.11 -%endif BuildRequires: ruby-devel BuildRequires: pkgconfig(cairo) BuildRequires: pkgconfig(fontconfig) @@ -136,6 +124,13 @@ BuildRequires: pkgconfig(tcl) BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xaw7) BuildRequires: pkgconfig(xext) +%if %{php_version} == 8 +BuildRequires: php8-devel +BuildRequires: swig >= 4.1.0 +%else +BuildRequires: php7-devel +BuildRequires: swig >= 3.0.11 +%endif %if %{with java} BuildRequires: java-devel >= 1.6.0 %endif @@ -175,7 +170,7 @@ Experimental large graph viewer using graphviz Summary: Graphviz plugins that use gtk/GNOME Group: Productivity/Graphics/Visualization/Graph Requires(post): graphviz = %{version} -Supplements: packageand(graphviz:xorg-x11-fonts-core) +Supplements: (graphviz and xorg-x11-fonts-core) %description -n graphviz-gnome Graphviz plugins that use gtk/GNOME. @@ -405,14 +400,15 @@ programs that use the graphviz libraries including man3 pages. %prep #autosetup breaks graphviz-addons %setup -q -n %{mname}-%{version} -%patch0 -%patch1 -%patch2 -%patch3 -%patch4 -%patch5 -p1 -%patch6 -%patch7 -p1 +%patch -P 0 +%patch -P 1 +%patch -P 2 +%patch -P 3 +%patch -P 4 +%patch -P 5 -p1 +%patch -P 6 +%patch -P 7 -p1 +%patch -P 8 -p1 # pkg-config returns 0 (TRUE) when guile-2.2 is present if pkg-config --atleast-version=2.2 guile-2.2; then diff --git a/gvc-detect-plugin-installation-failure-and-display-an-error.patch b/gvc-detect-plugin-installation-failure-and-display-an-error.patch new file mode 100644 index 0000000..e349251 --- /dev/null +++ b/gvc-detect-plugin-installation-failure-and-display-an-error.patch @@ -0,0 +1,31 @@ +From: Matthew Fernandez +Subject: gvc: detect plugin installation failure and display an error +References: bsc#1219491 +Patch-Mainline: 10.0.1 +Git-commit: a95f977f5d809915ec4b14836d2b5b7f5e74881e +Git-repo: git@gitlab.com:graphviz/graphviz.git.git + +Gitlab: fixes #2441 +Reported-by: GJDuck + +A malformed config6 file that leads to plugin search failing no longer causes +out-of-bounds memory reads. This now causes an error message and graceful +failure. #2441 + + +Signed-off-by: +Index: graphviz-2.49.3/lib/gvc/gvconfig.c +=================================================================== +--- graphviz-2.49.3.orig/lib/gvc/gvconfig.c ++++ graphviz-2.49.3/lib/gvc/gvconfig.c +@@ -183,6 +183,10 @@ static int gvconfig_plugin_install_from_ + do { + api = token(&nest, &s); + gv_api = gvplugin_api(api); ++ if (gv_api == (api_t)-1) { ++ agerr(AGERR, "config error: %s %s not found\n", path, api); ++ return 0; ++ } + do { + if (nest == 2) { + type = token(&nest, &s);