Accepting request 838775 from Publishing
- Add upstream security patches/commits * 100e27.patch * 3065eb.patch * ca48cc.patch - Do hardening via compile and linker flags OBS-URL: https://build.opensuse.org/request/show/838775 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=45
This commit is contained in:
commit
9fb5ccc032
32
100e27.patch
Normal file
32
100e27.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 100e2789f8106f9cc0f7e4319c4ee7bda076c3ac Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
||||
Date: Sun, 16 Feb 2020 13:25:03 +0100
|
||||
Subject: [PATCH] Modify commit [3165d8]: Use tangent, not secant
|
||||
|
||||
Use the tangent, not a secant, for short arrows on arcs.
|
||||
---
|
||||
fig2dev/bound.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git fig2dev/bound.c fig2dev/bound.c
|
||||
index d305ab9..ea97461 100644
|
||||
--- fig2dev/bound.c
|
||||
+++ fig2dev/bound.c
|
||||
@@ -1102,12 +1102,10 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
|
||||
/* add this to the length */
|
||||
h += lpt;
|
||||
|
||||
- /* radius too small for this method, use normal method */
|
||||
- if (h > 2.0*r) {
|
||||
+ /* secant would be too large or too small */
|
||||
+ if (h > 2.0*r || h < 0.01*r) {
|
||||
arc_tangent_int(x1,y1,x2,y2,direction,x,y);
|
||||
return;
|
||||
- } else if (h < thick) {
|
||||
- h = thick;
|
||||
}
|
||||
|
||||
beta=atan2(dy,dx);
|
||||
--
|
||||
2.16.4
|
||||
|
63
3065eb.patch
Normal file
63
3065eb.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 3065ebc14bb96506429b4ebde3aeb3793c72a66d Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
||||
Date: Sun, 16 Feb 2020 18:54:01 +0100
|
||||
Subject: [PATCH] Allow last line of file lacking eol char, #83, #84
|
||||
|
||||
If the last line of a fig file does not end with a newline, the code parsing
|
||||
the input could read beyond the allocated buffer. This commit fixes the parsing
|
||||
at two locations in the code, one in string parsing, the second where sequences
|
||||
of a backslash and octal digits are converted to characters.
|
||||
---
|
||||
fig2dev/read.c | 6 ++++--
|
||||
fig2dev/tests/read.at | 11 +++++++++++
|
||||
2 files changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
--- fig2dev/read.c
|
||||
+++ fig2dev/read.c 2020-09-30 10:46:34.214234522 +0000
|
||||
@@ -1483,6 +1483,8 @@ read_textobject(FILE *fp, char **restric
|
||||
|
||||
len = strlen(start);
|
||||
start[len++] = '\n'; /* put back the newline */
|
||||
+ start[len] = '\0'; /* and terminate the string,
|
||||
+ in case nothing else is found */
|
||||
|
||||
/* allocate plenty of space */
|
||||
next = malloc(len + BUFSIZ);
|
||||
@@ -1491,7 +1493,7 @@ read_textobject(FILE *fp, char **restric
|
||||
free(t);
|
||||
return NULL;
|
||||
}
|
||||
- memcpy(next, start, len);
|
||||
+ memcpy(next, start, len + 1);
|
||||
|
||||
while ((chars = getline(line, line_len, fp)) != -1) {
|
||||
++(*line_no);
|
||||
@@ -1525,7 +1527,7 @@ read_textobject(FILE *fp, char **restric
|
||||
len = end - start;
|
||||
l = len;
|
||||
while (c[l] != '\0') {
|
||||
- if (c[l] == '\\') {
|
||||
+ if (c[l] == '\\' && c[l+1] != '\0') {
|
||||
/* convert 3 digit octal value */
|
||||
if (isdigit(c[l+1]) && c[l+2] != '\0' &&
|
||||
c[l+3] != '\0') {
|
||||
--- fig2dev/tests/read.at
|
||||
+++ fig2dev/tests/read.at 2020-09-30 10:46:34.262233620 +0000
|
||||
@@ -416,6 +416,17 @@ AT_CHECK([fig2dev -L tikz text.fig
|
||||
], 0, ignore)
|
||||
AT_CLEANUP
|
||||
|
||||
+AT_SETUP([allow files end without eol, tickets #83, #84])
|
||||
+AT_KEYWORDS([read.c])
|
||||
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
|
||||
+4 0 0 50 0 -1 12 0 0 150 405 0 0 No end-of-line here -->"]) | \
|
||||
+ fig2dev -L box], 0, ignore)
|
||||
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
|
||||
+4 0 0 50 0 -1 12 0 0 150 405 0 0 Start string
|
||||
+No end-of-line after one backslash --> \\"]) | \
|
||||
+ fig2dev -L box], 0, ignore)
|
||||
+AT_CLEANUP
|
||||
+
|
||||
AT_BANNER([Dynamically allocate picture file name.])
|
||||
|
||||
AT_SETUP([prepend fig file path to picture file name])
|
35
ca48cc.patch
Normal file
35
ca48cc.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From ca48ccc90bd3e7801a63cf9a541f292b28ed1260 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
||||
Date: Mon, 17 Feb 2020 12:18:12 +0100
|
||||
Subject: [PATCH] Amend previous commit - avoid buffer overflow
|
||||
|
||||
Regards to Dr. Werner Fink, see discussion to ticket #83.
|
||||
---
|
||||
fig2dev/read.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git fig2dev/read.c fig2dev/read.c
|
||||
index 0bdcd3d..d1ae463 100644
|
||||
--- fig2dev/read.c
|
||||
+++ fig2dev/read.c
|
||||
@@ -1489,8 +1489,6 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
|
||||
|
||||
len = strlen(start);
|
||||
start[len++] = '\n'; /* put back the newline */
|
||||
- start[len] = '\0'; /* and terminate the string,
|
||||
- in case nothing else is found */
|
||||
|
||||
/* allocate plenty of space */
|
||||
next = malloc(len + BUFSIZ);
|
||||
@@ -1500,6 +1498,8 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
|
||||
return NULL;
|
||||
}
|
||||
memcpy(next, start, len + 1);
|
||||
+ next[len] = '\0'; /* terminate the initial string,
|
||||
+ in case nothing else is found */
|
||||
|
||||
while ((chars = getline(line, line_len, fp)) != -1) {
|
||||
++(*line_no);
|
||||
--
|
||||
2.16.4
|
||||
|
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 30 10:48:31 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
||||
|
||||
- Add upstream security patches/commits
|
||||
* 100e27.patch
|
||||
* 3065eb.patch
|
||||
* ca48cc.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 29 09:24:16 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
||||
|
||||
- Do hardening via compile and linker flags
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
||||
|
||||
|
@ -70,6 +70,9 @@ Patch14: 2f8d1a.patch
|
||||
Patch15: 4d4e1f.patch
|
||||
Patch16: 3165d8.patch
|
||||
Patch17: 639c36.patch
|
||||
Patch18: 100e27.patch
|
||||
Patch19: 3065eb.patch
|
||||
Patch20: ca48cc.patch
|
||||
Patch43: fig2dev-3.2.6-fig2mpdf.patch
|
||||
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
|
||||
Patch45: fig2dev-3.2.6a-RGBFILE.patch
|
||||
@ -127,14 +130,59 @@ find -type f | xargs -r chmod a-x,go-w
|
||||
%patch15 -p0 -b .sec12
|
||||
%patch16 -p0 -b .sec13
|
||||
%patch17 -p0 -b .sec14
|
||||
%patch18 -p0 -b .sec15
|
||||
%patch19 -p0 -b .sec16
|
||||
%patch20 -p0 -b .sec17
|
||||
%patch43 -p2 -b .mpdf
|
||||
%patch44 -p1 -b .mpdfdoc
|
||||
%patch45 -p1 -b .p45
|
||||
|
||||
%build
|
||||
ulimit -v unlimited || :
|
||||
#
|
||||
# Used for detection of hardening options of gcc and linker
|
||||
#
|
||||
cflags ()
|
||||
{
|
||||
local flag=$1; shift
|
||||
local var=$1; shift
|
||||
test -n "${flag}" -a -n "${var}" || return
|
||||
case "${!var}" in
|
||||
*${flag}*) return
|
||||
esac
|
||||
case "$flag" in
|
||||
-Wl,*)
|
||||
set -o noclobber
|
||||
echo 'int main () { return 0; }' > ldtest.c
|
||||
if ${CC:-gcc} -Werror $flag -o /dev/null -xc ldtest.c > /dev/null 2>&1 ; then
|
||||
eval $var=\${$var:+\$$var\ }$flag
|
||||
fi
|
||||
set +o noclobber
|
||||
rm -f ldtest.c
|
||||
;;
|
||||
*)
|
||||
if ${CC:-gcc} -Werror $flag -S -o /dev/null -xc /dev/null > /dev/null 2>&1 ; then
|
||||
eval $var=\${$var:+\$$var\ }$flag
|
||||
fi
|
||||
if ${CXX:-g++} -Werror $flag -S -o /dev/null -xc++ /dev/null > /dev/null 2>&1 ; then
|
||||
eval $var=\${$var:+\$$var\ }$flag
|
||||
fi
|
||||
esac
|
||||
}
|
||||
|
||||
CC=gcc
|
||||
CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 $(getconf LFS_CFLAGS)"
|
||||
cflags -D_FORTIFY_SOURCE=2 CFLAGS
|
||||
cflags -fstack-protector CFLAGS
|
||||
cflags -fstack-protector-strong CFLAGS
|
||||
cflags -fstack-protector-all CFLAGS
|
||||
cflags -Wformat CFLAGS
|
||||
cflags -Wformat-security CFLAGS
|
||||
cflags -Werror=format-security CFLAGS
|
||||
cflags -fPIE CFLAGS
|
||||
cflags -pie LDFLAGS
|
||||
cflags -Wl,-z,relro LDFLAGS
|
||||
cflags -Wl,-z,now LDFLAGS
|
||||
export CC CFLAGS LDFLAGS
|
||||
chmod 755 configure
|
||||
%configure \
|
||||
|
Loading…
Reference in New Issue
Block a user