From d0dca8bc4af84e7b76016da5b2ef2d8c50aa3cebbae639d7b405f5b02974b812 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 22 Nov 2017 12:37:26 +0000 Subject: [PATCH] Bug bsc#1069257, CVE-2017-16899 OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=43 --- fig2dev-3.2.6a-RGBFILE.patch | 32 ++++++++++++++++++ fig2dev-3.2.6a-input-sanitizing.patch | 41 +++++++++++++++++++++++ fig2dev-3.2.6a-man-typo.patch | 14 ++++++++ fig2dev-3.2.6a-style-overflow.patch | 47 +++++++++++++++++++++++++++ transfig.changes | 11 +++++++ transfig.spec | 10 +++++- 6 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 fig2dev-3.2.6a-RGBFILE.patch create mode 100644 fig2dev-3.2.6a-input-sanitizing.patch create mode 100644 fig2dev-3.2.6a-man-typo.patch create mode 100644 fig2dev-3.2.6a-style-overflow.patch diff --git a/fig2dev-3.2.6a-RGBFILE.patch b/fig2dev-3.2.6a-RGBFILE.patch new file mode 100644 index 0000000..90ec7c0 --- /dev/null +++ b/fig2dev-3.2.6a-RGBFILE.patch @@ -0,0 +1,32 @@ +From: Roland Rosenfeld +Subject: rgb.txt can not be located via FIG2DEV_RGBFILE environment variable. + This allows to run the test suite without the package being installed before. + +--- a/fig2dev/colors.c ++++ b/fig2dev/colors.c +@@ -27,6 +27,7 @@ + #include "pi.h" + + #include "fig2dev.h" ++#include + + struct color_db { + char *name; +@@ -108,10 +109,15 @@ read_colordb(void) + char s[100], s1[100], *c1, *c2; + unsigned short r,g,b; + struct color_db *col; ++ char *rgbfile; + +- fp = fopen(RGB_FILE, "r"); ++ rgbfile = getenv("FIG2DEV_RGBFILE"); ++ if (rgbfile == NULL) { ++ rgbfile = RGB_FILE; ++ } ++ fp = fopen(rgbfile, "r"); + if (fp == NULL) { +- fprintf(stderr,"Couldn't open the RGB database file '%s'\n", RGB_FILE); ++ fprintf(stderr,"Couldn't open the RGB database file '%s'\n", rgbfile); + return -1; + } + if ((Xcolors = (struct color_db*) malloc(maxcolors*sizeof(struct color_db))) diff --git a/fig2dev-3.2.6a-input-sanitizing.patch b/fig2dev-3.2.6a-input-sanitizing.patch new file mode 100644 index 0000000..41d36b2 --- /dev/null +++ b/fig2dev-3.2.6a-input-sanitizing.patch @@ -0,0 +1,41 @@ +Description: Some input sanitizing when reading FIG files. +Bug-Debian: https://bugs.debian.org/881143 +Bug-Debian: https://bugs.debian.org/881144 +Author: Thomas Loimer + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp) + | PSFONT_TEXT; + + /* keep the font number reasonable */ +- if (t->font > MAXFONT(t)) ++ if (t->font > MAXFONT(t)) { + t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + fix_and_note_color(&t->color); + t->comments = attach_comments(); /* attach any comments */ + return t; +--- a/fig2dev/read1_3.c ++++ b/fig2dev/read1_3.c +@@ -470,6 +470,15 @@ read_textobject(FILE *fp) + free((char*) t); + return(NULL); + } ++ /* keep the font number within valid range */ ++ if (t->font > MAXFONT(t)) { ++ t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + (void)strcpy(t->cstring, buf); + if (t->size == 0) t->size = 18; + return(t); diff --git a/fig2dev-3.2.6a-man-typo.patch b/fig2dev-3.2.6a-man-typo.patch new file mode 100644 index 0000000..9843be3 --- /dev/null +++ b/fig2dev-3.2.6a-man-typo.patch @@ -0,0 +1,14 @@ +From: Roland Rosenfeld +Subject: Fix typo in man page fig2ps2tex. + +--- a/man/fig2ps2tex.1 ++++ b/man/fig2ps2tex.1 +@@ -22,7 +22,7 @@ for those systems with csh and dc. + Note that the + .I psfig + macro package provides a more sophisticated approach to including +-Postscript files in LaTeX docuements. ++Postscript files in LaTeX documents. + .I Fig2ps2tex + works with plain TeX however. + diff --git a/fig2dev-3.2.6a-style-overflow.patch b/fig2dev-3.2.6a-style-overflow.patch new file mode 100644 index 0000000..e954cc7 --- /dev/null +++ b/fig2dev-3.2.6a-style-overflow.patch @@ -0,0 +1,47 @@ +Description: Sanitize input of fill patterns. +Bug-Debian: https://bugs.debian.org/881396 +Author: Thomas Loimer + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -71,6 +71,8 @@ static int save_comment(void); + + #define FILL_CONVERT(f) ((v2_flag || (f) < WHITE_FILL) \ + ? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5) ++#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \ ++ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f + + /* input buffer size */ + #define BUF_SIZE 1024 +@@ -547,6 +549,7 @@ read_arcobject(FILE *fp) + } + a->thickness *= round(THICK_SCALE); + a->fill_style = FILL_CONVERT(a->fill_style); ++ a->fill_style = FILL_SANITIZE(a->fill_style); + NOTE_FILL(a); + fix_and_note_color(&a->pen_color); + if (fa) { +@@ -730,6 +733,7 @@ read_ellipseobject(void) + fix_and_note_color(&e->pen_color); + e->thickness *= round(THICK_SCALE); + e->fill_style = FILL_CONVERT(e->fill_style); ++ e->fill_style = FILL_SANITIZE(e->fill_style); + NOTE_FILL(e); + e->comments = attach_comments(); /* attach any comments */ + return e; +@@ -895,6 +899,7 @@ read_lineobject(FILE *fp) + l->radius *= round(THICK_SCALE); + l->thickness *= round(THICK_SCALE); + l->fill_style = FILL_CONVERT(l->fill_style); ++ l->fill_style = FILL_SANITIZE(l->fill_style); + NOTE_FILL(l); + fix_and_note_color(&l->pen_color); + if (fa) { +@@ -1051,6 +1056,7 @@ read_splineobject(FILE *fp) + } + s->thickness *= round(THICK_SCALE); + s->fill_style = FILL_CONVERT(s->fill_style); ++ s->fill_style = FILL_SANITIZE(s->fill_style); + NOTE_FILL(s); + fix_and_note_color(&s->pen_color); + if (fa) { diff --git a/transfig.changes b/transfig.changes index fcddd94..ce7b8c0 100644 --- a/transfig.changes +++ b/transfig.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Nov 22 12:25:21 UTC 2017 - werner@suse.de + +- Added patches + * fig2dev-3.2.6a-RGBFILE.patch to let rgb.txt be located via + environment variable FIG2DEV_RGBFILE + * fig2dev-3.2.6a-man-typo.patch to fix simple typo in manual page + * fig2dev-3.2.6a-input-sanitizing.patch to do some input + sanitizing when reading FIG files (bsc#1069257, CVE-2017-16899) + * fig2dev-3.2.6a-style-overflow.patch + ------------------------------------------------------------------- Mon Feb 6 11:23:24 UTC 2017 - werner@suse.de diff --git a/transfig.spec b/transfig.spec index c85f479..07eb624 100644 --- a/transfig.spec +++ b/transfig.spec @@ -54,9 +54,9 @@ Requires: texlive-epstopdf Version: 3.2.6a Release: 0 Summary: Graphic Converter +#Source: http://sourceforge.net/projects/mcj/files/fig2dev-%{version}.tar.xz/download#/fig2dev-%{version}.tar.xz License: MIT Group: Productivity/Graphics/Convertors -#Source: http://sourceforge.net/projects/mcj/files/fig2dev-%{version}.tar.xz/download#/fig2dev-%{version}.tar.xz Source: fig2dev-%{version}.tar.xz Patch0: transfig-3.2.6.dif Patch2: transfig.3.2.5-binderman.dif @@ -65,6 +65,10 @@ Patch4: transfig-fix-afl.patch Patch42: fig2dev-3.2.6-genps_oldpatterns.patch Patch43: fig2dev-3.2.6-fig2mpdf.patch Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch +Patch45: fig2dev-3.2.6a-RGBFILE.patch +Patch46: fig2dev-3.2.6a-man-typo.patch +Patch47: fig2dev-3.2.6a-input-sanitizing.patch +Patch48: fig2dev-3.2.6a-style-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} %if "%_exec_prefix" == "/usr/X11R6" @@ -108,6 +112,10 @@ find -type f | xargs -r chmod a-x,go-w %patch42 -p2 -b .oldp %patch43 -p2 -b .mpdf %patch44 -p1 -b .mpdfdoc +%patch45 -p1 -b .p45 +%patch46 -p1 -b .p46 +%patch47 -p1 -b .p47 +%patch48 -p1 -b .p48 %build CC=gcc