diff --git a/6827c09d.patch b/6827c09d.patch new file mode 100644 index 0000000..9b31966 --- /dev/null +++ b/6827c09d.patch @@ -0,0 +1,68 @@ +From 6827c09d2d6491cb2ae3ac7196439ff3aa791fd9 Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Sun, 25 Apr 2021 00:49:15 +0200 +Subject: [PATCH] Sanitize color definitions, ticket #116 + +--- + fig2dev/read.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git fig2dev/read.c fig2dev/read.c +index 7e18fda..4c6bacc 100644 +--- fig2dev/read.c ++++ fig2dev/read.c +@@ -520,30 +520,37 @@ read_colordef(char *line, int line_no) + + if (num_usr_cols >= MAX_USR_COLS) { + if (num_usr_cols == MAX_USR_COLS) { +- put_msg("Maximum number of color definitions (%d) exceeded at line %d.", ++ put_msg("Maximum number of color definitions (%d) " ++ "exceeded at line %d.", + MAX_USR_COLS, line_no); + ++num_usr_cols; + } + /* ignore additional colors */ + return; + } +- if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) { +- if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) { +- put_msg("Invalid color definition at line %d: %s, setting to black (#00000).", +- line_no, line); +- r = g = b = 0; +- } else { +- put_msg("User color number at line %d out of range (%d), should be between %d and %d.", ++ if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) { ++ if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS && ++ r >=0 && r < 256 && g >=0 && g < 256 && ++ b >= 0 && b < 256 ) { ++ user_col_indx[num_usr_cols] = c; ++ user_colors[num_usr_cols].r = r; ++ user_colors[num_usr_cols].g = g; ++ user_colors[num_usr_cols].b = b; ++ ++num_usr_cols; ++ } else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) { ++ put_msg("User color number at line %d out of range (%d)" ++ ", should be between %d and %d.", + line_no, c, NUM_STD_COLS, + NUM_STD_COLS + MAX_USR_COLS - 1); +- return; ++ } else { ++ put_msg("Invalid color definition at line %d: %s, color" ++ " values must be between 0 through 255.", ++ line_no, line); + } ++ } else { ++ put_msg("Invalid color definition at line %d: %s.", ++ line_no, line); + } +- user_col_indx[num_usr_cols] = c; +- user_colors[num_usr_cols].r = r; +- user_colors[num_usr_cols].g = g; +- user_colors[num_usr_cols].b = b; +- ++num_usr_cols; + } + + static void +-- +2.26.2 + diff --git a/transfig.changes b/transfig.changes index 006e84c..b69b318 100644 --- a/transfig.changes +++ b/transfig.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri May 21 11:50:39 UTC 2021 - Dr. Werner Fink + +- Add upstream commit as patch 6827c09d.patch + Global buffer overflow in fig2dev/read.c in function read_colordef() + (boo#1186329, CVE-2021-3561) + ------------------------------------------------------------------- Thu Apr 1 11:58:30 UTC 2021 - Dr. Werner Fink diff --git a/transfig.spec b/transfig.spec index 4f9887d..075cae6 100644 --- a/transfig.spec +++ b/transfig.spec @@ -53,6 +53,7 @@ License: MIT Group: Productivity/Graphics/Convertors Source: fig2dev-%{version}.tar.xz Patch0: transfig-3.2.8.dif +Patch1: 6827c09d.patch Patch4: transfig-fix-afl.patch Patch43: fig2dev-3.2.6-fig2mpdf.patch Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch @@ -94,6 +95,7 @@ Authors: %setup -q -n fig2dev-%{version} find -type f | xargs -r chmod a-x,go-w %patch0 -p0 -b .0 +%patch1 -p0 -b .1 %patch4 -p1 -b .afl %patch43 -p1 -b .mpdf %patch44 -p1 -b .mpdfdoc