Accepting request 838775 from Publishing

- Add upstream security patches/commits
  * 100e27.patch
  * 3065eb.patch
  * ca48cc.patch

- Do hardening via compile and linker flags

OBS-URL: https://build.opensuse.org/request/show/838775
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=45
This commit is contained in:
Dominique Leuenberger 2020-10-03 16:55:00 +00:00 committed by Git OBS Bridge
commit 9fb5ccc032
5 changed files with 191 additions and 0 deletions

32
100e27.patch Normal file
View File

@ -0,0 +1,32 @@
From 100e2789f8106f9cc0f7e4319c4ee7bda076c3ac Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Sun, 16 Feb 2020 13:25:03 +0100
Subject: [PATCH] Modify commit [3165d8]: Use tangent, not secant
Use the tangent, not a secant, for short arrows on arcs.
---
fig2dev/bound.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git fig2dev/bound.c fig2dev/bound.c
index d305ab9..ea97461 100644
--- fig2dev/bound.c
+++ fig2dev/bound.c
@@ -1102,12 +1102,10 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
/* add this to the length */
h += lpt;
- /* radius too small for this method, use normal method */
- if (h > 2.0*r) {
+ /* secant would be too large or too small */
+ if (h > 2.0*r || h < 0.01*r) {
arc_tangent_int(x1,y1,x2,y2,direction,x,y);
return;
- } else if (h < thick) {
- h = thick;
}
beta=atan2(dy,dx);
--
2.16.4

63
3065eb.patch Normal file
View File

@ -0,0 +1,63 @@
From 3065ebc14bb96506429b4ebde3aeb3793c72a66d Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Sun, 16 Feb 2020 18:54:01 +0100
Subject: [PATCH] Allow last line of file lacking eol char, #83, #84
If the last line of a fig file does not end with a newline, the code parsing
the input could read beyond the allocated buffer. This commit fixes the parsing
at two locations in the code, one in string parsing, the second where sequences
of a backslash and octal digits are converted to characters.
---
fig2dev/read.c | 6 ++++--
fig2dev/tests/read.at | 11 +++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
--- fig2dev/read.c
+++ fig2dev/read.c 2020-09-30 10:46:34.214234522 +0000
@@ -1483,6 +1483,8 @@ read_textobject(FILE *fp, char **restric
len = strlen(start);
start[len++] = '\n'; /* put back the newline */
+ start[len] = '\0'; /* and terminate the string,
+ in case nothing else is found */
/* allocate plenty of space */
next = malloc(len + BUFSIZ);
@@ -1491,7 +1493,7 @@ read_textobject(FILE *fp, char **restric
free(t);
return NULL;
}
- memcpy(next, start, len);
+ memcpy(next, start, len + 1);
while ((chars = getline(line, line_len, fp)) != -1) {
++(*line_no);
@@ -1525,7 +1527,7 @@ read_textobject(FILE *fp, char **restric
len = end - start;
l = len;
while (c[l] != '\0') {
- if (c[l] == '\\') {
+ if (c[l] == '\\' && c[l+1] != '\0') {
/* convert 3 digit octal value */
if (isdigit(c[l+1]) && c[l+2] != '\0' &&
c[l+3] != '\0') {
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at 2020-09-30 10:46:34.262233620 +0000
@@ -416,6 +416,17 @@ AT_CHECK([fig2dev -L tikz text.fig
], 0, ignore)
AT_CLEANUP
+AT_SETUP([allow files end without eol, tickets #83, #84])
+AT_KEYWORDS([read.c])
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
+4 0 0 50 0 -1 12 0 0 150 405 0 0 No end-of-line here -->"]) | \
+ fig2dev -L box], 0, ignore)
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
+4 0 0 50 0 -1 12 0 0 150 405 0 0 Start string
+No end-of-line after one backslash --> \\"]) | \
+ fig2dev -L box], 0, ignore)
+AT_CLEANUP
+
AT_BANNER([Dynamically allocate picture file name.])
AT_SETUP([prepend fig file path to picture file name])

35
ca48cc.patch Normal file
View File

@ -0,0 +1,35 @@
From ca48ccc90bd3e7801a63cf9a541f292b28ed1260 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Mon, 17 Feb 2020 12:18:12 +0100
Subject: [PATCH] Amend previous commit - avoid buffer overflow
Regards to Dr. Werner Fink, see discussion to ticket #83.
---
fig2dev/read.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git fig2dev/read.c fig2dev/read.c
index 0bdcd3d..d1ae463 100644
--- fig2dev/read.c
+++ fig2dev/read.c
@@ -1489,8 +1489,6 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
len = strlen(start);
start[len++] = '\n'; /* put back the newline */
- start[len] = '\0'; /* and terminate the string,
- in case nothing else is found */
/* allocate plenty of space */
next = malloc(len + BUFSIZ);
@@ -1500,6 +1498,8 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
return NULL;
}
memcpy(next, start, len + 1);
+ next[len] = '\0'; /* terminate the initial string,
+ in case nothing else is found */
while ((chars = getline(line, line_len, fp)) != -1) {
++(*line_no);
--
2.16.4

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Wed Sep 30 10:48:31 UTC 2020 - Dr. Werner Fink <werner@suse.de>
- Add upstream security patches/commits
* 100e27.patch
* 3065eb.patch
* ca48cc.patch
-------------------------------------------------------------------
Tue Sep 29 09:24:16 UTC 2020 - Dr. Werner Fink <werner@suse.de>
- Do hardening via compile and linker flags
-------------------------------------------------------------------
Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>

View File

@ -70,6 +70,9 @@ Patch14: 2f8d1a.patch
Patch15: 4d4e1f.patch
Patch16: 3165d8.patch
Patch17: 639c36.patch
Patch18: 100e27.patch
Patch19: 3065eb.patch
Patch20: ca48cc.patch
Patch43: fig2dev-3.2.6-fig2mpdf.patch
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
Patch45: fig2dev-3.2.6a-RGBFILE.patch
@ -127,14 +130,59 @@ find -type f | xargs -r chmod a-x,go-w
%patch15 -p0 -b .sec12
%patch16 -p0 -b .sec13
%patch17 -p0 -b .sec14
%patch18 -p0 -b .sec15
%patch19 -p0 -b .sec16
%patch20 -p0 -b .sec17
%patch43 -p2 -b .mpdf
%patch44 -p1 -b .mpdfdoc
%patch45 -p1 -b .p45
%build
ulimit -v unlimited || :
#
# Used for detection of hardening options of gcc and linker
#
cflags ()
{
local flag=$1; shift
local var=$1; shift
test -n "${flag}" -a -n "${var}" || return
case "${!var}" in
*${flag}*) return
esac
case "$flag" in
-Wl,*)
set -o noclobber
echo 'int main () { return 0; }' > ldtest.c
if ${CC:-gcc} -Werror $flag -o /dev/null -xc ldtest.c > /dev/null 2>&1 ; then
eval $var=\${$var:+\$$var\ }$flag
fi
set +o noclobber
rm -f ldtest.c
;;
*)
if ${CC:-gcc} -Werror $flag -S -o /dev/null -xc /dev/null > /dev/null 2>&1 ; then
eval $var=\${$var:+\$$var\ }$flag
fi
if ${CXX:-g++} -Werror $flag -S -o /dev/null -xc++ /dev/null > /dev/null 2>&1 ; then
eval $var=\${$var:+\$$var\ }$flag
fi
esac
}
CC=gcc
CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 $(getconf LFS_CFLAGS)"
cflags -D_FORTIFY_SOURCE=2 CFLAGS
cflags -fstack-protector CFLAGS
cflags -fstack-protector-strong CFLAGS
cflags -fstack-protector-all CFLAGS
cflags -Wformat CFLAGS
cflags -Wformat-security CFLAGS
cflags -Werror=format-security CFLAGS
cflags -fPIE CFLAGS
cflags -pie LDFLAGS
cflags -Wl,-z,relro LDFLAGS
cflags -Wl,-z,now LDFLAGS
export CC CFLAGS LDFLAGS
chmod 755 configure
%configure \