Dominique Leuenberger 2024-03-09 19:53:46 +00:00 committed by Git OBS Bridge
commit 097a64a933
3 changed files with 64 additions and 28 deletions

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Thu Mar 7 14:57:35 UTC 2024 - Thomas Renninger <trenn@suse.de>
- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file
bsc#1219491
A gvc-detect-plugin-installation-failure-and-display-an-error.patch
- Some alphabetical re-ordering and other spec file changes which should
not have any functional change which came from some kind of auto-spec
cleaner
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 22 07:45:53 UTC 2024 - Michael Vetter <mvetter@suse.com> Thu Feb 22 07:45:53 UTC 2024 - Michael Vetter <mvetter@suse.com>

View File

@ -17,43 +17,32 @@
%global flavor @BUILD_FLAVOR@%{nil} %global flavor @BUILD_FLAVOR@%{nil}
%if "%{flavor}" != "" %if "%{flavor}" != ""
%define psuffix -%{flavor} %define psuffix -%{flavor}
%else %else
%define psuffix %{nil} %define psuffix %{nil}
%endif %endif
#fixes build failure caused by new .debug files, not sure how to fix correctly #fixes build failure caused by new .debug files, not sure how to fix correctly
%define mname graphviz %define mname graphviz
# name of the plugin config file that dot creates # name of the plugin config file that dot creates
%define config_file config6 %define config_file config6
# Java and ocaml are not in ring1, thus this gets overriden in staging
# Also, both install into generic locations instead of a language
# specific prefix, disable both
%bcond_with java
%bcond_with ocaml
%if "%{flavor}" == "addons" %if "%{flavor}" == "addons"
%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
%define phpext_dir %(%{__php_config} --extension-dir)
%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc)
# PHP8 requires swig >= 4.1.0, https://github.com/swig/swig/commit/56d74355735f3661406d69d04d89d1bdb4ca96f9 # PHP8 requires swig >= 4.1.0, https://github.com/swig/swig/commit/56d74355735f3661406d69d04d89d1bdb4ca96f9
%if 0%{?suse_version} >= 1599 %if 0%{?suse_version} >= 1599
%define php_version 8 %define php_version 8
%else %else
%define php_version 7 %define php_version 7
%endif %endif
%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
%define phpext_dir %(%{__php_config} --extension-dir)
%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc)
%endif %endif
# No pkgconfig(gts) in sle12 GA or SPx, but in sle15 # No pkgconfig(gts) in sle12 GA or SPx, but in sle15
%if 0%{?suse_version} == 1315 && !0%{?is_opensuse} %if 0%{?suse_version} == 1315 && !0%{?is_opensuse}
%bcond_with gts %bcond_with gts
%else %else
%bcond_without gts %bcond_without gts
%endif %endif
%define cdt_soversion 5 %define cdt_soversion 5
%define cgraph_soversion 6 %define cgraph_soversion 6
%define gvc_soversion 6 %define gvc_soversion 6
@ -61,7 +50,11 @@
%define lab_gamut_soversion 1 %define lab_gamut_soversion 1
%define pathplan_soversion 4 %define pathplan_soversion 4
%define xdot_soversion 4 %define xdot_soversion 4
# Java and ocaml are not in ring1, thus this gets overriden in staging
# Also, both install into generic locations instead of a language
# specific prefix, disable both
%bcond_with java
%bcond_with ocaml
Name: graphviz%{psuffix} Name: graphviz%{psuffix}
Version: 2.49.3 Version: 2.49.3
Release: 0 Release: 0
@ -83,7 +76,8 @@ Patch5: graphviz-no_strict_aliasing.patch
Patch6: graphviz-no_php_extra_libs.patch Patch6: graphviz-no_php_extra_libs.patch
# https://gitlab.com/graphviz/graphviz/-/issues/2303 # https://gitlab.com/graphviz/graphviz/-/issues/2303
Patch7: swig-4.1.0.patch Patch7: swig-4.1.0.patch
#PATCH-FIX-UPSTREAM gvc: detect plugin installation failure and display an error
Patch8: gvc-detect-plugin-installation-failure-and-display-an-error.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: bison BuildRequires: bison
@ -96,12 +90,13 @@ BuildRequires: libstdc++-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: pkgconfig(expat) BuildRequires: pkgconfig(expat)
BuildRequires: pkgconfig(zlib)
Requires: bitstream-vera-fonts
Requires: graphviz-plugins-core = %{version}
Recommends: graphviz-gd = %{version}
%if %{with gts} %if %{with gts}
BuildRequires: pkgconfig(gts) BuildRequires: pkgconfig(gts)
%endif %endif
BuildRequires: pkgconfig(zlib)
Requires: graphviz-plugins-core = %{version}
Recommends: graphviz-gd = %{version}
%if "%{flavor}" == "addons" %if "%{flavor}" == "addons"
BuildRequires: freeglut-devel BuildRequires: freeglut-devel
BuildRequires: ghostscript BuildRequires: ghostscript
@ -109,13 +104,6 @@ BuildRequires: libjpeg-devel
BuildRequires: libpng-devel BuildRequires: libpng-devel
BuildRequires: libwebp-devel BuildRequires: libwebp-devel
BuildRequires: perl BuildRequires: perl
%if %{php_version} == 8
BuildRequires: php8-devel
BuildRequires: swig >= 4.1.0
%else
BuildRequires: php7-devel
BuildRequires: swig >= 3.0.11
%endif
BuildRequires: ruby-devel BuildRequires: ruby-devel
BuildRequires: pkgconfig(cairo) BuildRequires: pkgconfig(cairo)
BuildRequires: pkgconfig(fontconfig) BuildRequires: pkgconfig(fontconfig)
@ -136,6 +124,13 @@ BuildRequires: pkgconfig(tcl)
BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xaw7) BuildRequires: pkgconfig(xaw7)
BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xext)
%if %{php_version} == 8
BuildRequires: php8-devel
BuildRequires: swig >= 4.1.0
%else
BuildRequires: php7-devel
BuildRequires: swig >= 3.0.11
%endif
%if %{with java} %if %{with java}
BuildRequires: java-devel >= 1.6.0 BuildRequires: java-devel >= 1.6.0
%endif %endif
@ -148,7 +143,6 @@ BuildRequires: pkgconfig(Qt5Core)
BuildRequires: pkgconfig(Qt5PrintSupport) BuildRequires: pkgconfig(Qt5PrintSupport)
BuildRequires: pkgconfig(Qt5Widgets) BuildRequires: pkgconfig(Qt5Widgets)
%endif %endif
Requires: bitstream-vera-fonts
%description %description
A collection of tools and tcl packages for the manipulation and layout A collection of tools and tcl packages for the manipulation and layout
@ -176,7 +170,7 @@ Experimental large graph viewer using graphviz
Summary: Graphviz plugins that use gtk/GNOME Summary: Graphviz plugins that use gtk/GNOME
Group: Productivity/Graphics/Visualization/Graph Group: Productivity/Graphics/Visualization/Graph
Requires(post): graphviz = %{version} Requires(post): graphviz = %{version}
Supplements: packageand(graphviz:xorg-x11-fonts-core) Supplements: (graphviz and xorg-x11-fonts-core)
%description -n graphviz-gnome %description -n graphviz-gnome
Graphviz plugins that use gtk/GNOME. Graphviz plugins that use gtk/GNOME.
@ -414,6 +408,7 @@ programs that use the graphviz libraries including man3 pages.
%patch -P 5 -p1 %patch -P 5 -p1
%patch -P 6 %patch -P 6
%patch -P 7 -p1 %patch -P 7 -p1
%patch -P 8 -p1
# pkg-config returns 0 (TRUE) when guile-2.2 is present # pkg-config returns 0 (TRUE) when guile-2.2 is present
if pkg-config --atleast-version=2.2 guile-2.2; then if pkg-config --atleast-version=2.2 guile-2.2; then

View File

@ -0,0 +1,31 @@
From: Matthew Fernandez <matthew.fernandez@gmail.com>
Subject: gvc: detect plugin installation failure and display an error
References: bsc#1219491
Patch-Mainline: 10.0.1
Git-commit: a95f977f5d809915ec4b14836d2b5b7f5e74881e
Git-repo: git@gitlab.com:graphviz/graphviz.git.git
Gitlab: fixes #2441
Reported-by: GJDuck
A malformed config6 file that leads to plugin search failing no longer causes
out-of-bounds memory reads. This now causes an error message and graceful
failure. #2441
Signed-off-by: <trenn@suse.com>
Index: graphviz-2.49.3/lib/gvc/gvconfig.c
===================================================================
--- graphviz-2.49.3.orig/lib/gvc/gvconfig.c
+++ graphviz-2.49.3/lib/gvc/gvconfig.c
@@ -183,6 +183,10 @@ static int gvconfig_plugin_install_from_
do {
api = token(&nest, &s);
gv_api = gvplugin_api(api);
+ if (gv_api == (api_t)-1) {
+ agerr(AGERR, "config error: %s %s not found\n", path, api);
+ return 0;
+ }
do {
if (nest == 2) {
type = token(&nest, &s);