Accepting request 838775 from Publishing
- Add upstream security patches/commits * 100e27.patch * 3065eb.patch * ca48cc.patch - Do hardening via compile and linker flags OBS-URL: https://build.opensuse.org/request/show/838775 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=45
This commit is contained in:
commit
9fb5ccc032
32
100e27.patch
Normal file
32
100e27.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From 100e2789f8106f9cc0f7e4319c4ee7bda076c3ac Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
||||||
|
Date: Sun, 16 Feb 2020 13:25:03 +0100
|
||||||
|
Subject: [PATCH] Modify commit [3165d8]: Use tangent, not secant
|
||||||
|
|
||||||
|
Use the tangent, not a secant, for short arrows on arcs.
|
||||||
|
---
|
||||||
|
fig2dev/bound.c | 6 ++----
|
||||||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git fig2dev/bound.c fig2dev/bound.c
|
||||||
|
index d305ab9..ea97461 100644
|
||||||
|
--- fig2dev/bound.c
|
||||||
|
+++ fig2dev/bound.c
|
||||||
|
@@ -1102,12 +1102,10 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
|
||||||
|
/* add this to the length */
|
||||||
|
h += lpt;
|
||||||
|
|
||||||
|
- /* radius too small for this method, use normal method */
|
||||||
|
- if (h > 2.0*r) {
|
||||||
|
+ /* secant would be too large or too small */
|
||||||
|
+ if (h > 2.0*r || h < 0.01*r) {
|
||||||
|
arc_tangent_int(x1,y1,x2,y2,direction,x,y);
|
||||||
|
return;
|
||||||
|
- } else if (h < thick) {
|
||||||
|
- h = thick;
|
||||||
|
}
|
||||||
|
|
||||||
|
beta=atan2(dy,dx);
|
||||||
|
--
|
||||||
|
2.16.4
|
||||||
|
|
63
3065eb.patch
Normal file
63
3065eb.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 3065ebc14bb96506429b4ebde3aeb3793c72a66d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
||||||
|
Date: Sun, 16 Feb 2020 18:54:01 +0100
|
||||||
|
Subject: [PATCH] Allow last line of file lacking eol char, #83, #84
|
||||||
|
|
||||||
|
If the last line of a fig file does not end with a newline, the code parsing
|
||||||
|
the input could read beyond the allocated buffer. This commit fixes the parsing
|
||||||
|
at two locations in the code, one in string parsing, the second where sequences
|
||||||
|
of a backslash and octal digits are converted to characters.
|
||||||
|
---
|
||||||
|
fig2dev/read.c | 6 ++++--
|
||||||
|
fig2dev/tests/read.at | 11 +++++++++++
|
||||||
|
2 files changed, 15 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- fig2dev/read.c
|
||||||
|
+++ fig2dev/read.c 2020-09-30 10:46:34.214234522 +0000
|
||||||
|
@@ -1483,6 +1483,8 @@ read_textobject(FILE *fp, char **restric
|
||||||
|
|
||||||
|
len = strlen(start);
|
||||||
|
start[len++] = '\n'; /* put back the newline */
|
||||||
|
+ start[len] = '\0'; /* and terminate the string,
|
||||||
|
+ in case nothing else is found */
|
||||||
|
|
||||||
|
/* allocate plenty of space */
|
||||||
|
next = malloc(len + BUFSIZ);
|
||||||
|
@@ -1491,7 +1493,7 @@ read_textobject(FILE *fp, char **restric
|
||||||
|
free(t);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
- memcpy(next, start, len);
|
||||||
|
+ memcpy(next, start, len + 1);
|
||||||
|
|
||||||
|
while ((chars = getline(line, line_len, fp)) != -1) {
|
||||||
|
++(*line_no);
|
||||||
|
@@ -1525,7 +1527,7 @@ read_textobject(FILE *fp, char **restric
|
||||||
|
len = end - start;
|
||||||
|
l = len;
|
||||||
|
while (c[l] != '\0') {
|
||||||
|
- if (c[l] == '\\') {
|
||||||
|
+ if (c[l] == '\\' && c[l+1] != '\0') {
|
||||||
|
/* convert 3 digit octal value */
|
||||||
|
if (isdigit(c[l+1]) && c[l+2] != '\0' &&
|
||||||
|
c[l+3] != '\0') {
|
||||||
|
--- fig2dev/tests/read.at
|
||||||
|
+++ fig2dev/tests/read.at 2020-09-30 10:46:34.262233620 +0000
|
||||||
|
@@ -416,6 +416,17 @@ AT_CHECK([fig2dev -L tikz text.fig
|
||||||
|
], 0, ignore)
|
||||||
|
AT_CLEANUP
|
||||||
|
|
||||||
|
+AT_SETUP([allow files end without eol, tickets #83, #84])
|
||||||
|
+AT_KEYWORDS([read.c])
|
||||||
|
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
|
||||||
|
+4 0 0 50 0 -1 12 0 0 150 405 0 0 No end-of-line here -->"]) | \
|
||||||
|
+ fig2dev -L box], 0, ignore)
|
||||||
|
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
|
||||||
|
+4 0 0 50 0 -1 12 0 0 150 405 0 0 Start string
|
||||||
|
+No end-of-line after one backslash --> \\"]) | \
|
||||||
|
+ fig2dev -L box], 0, ignore)
|
||||||
|
+AT_CLEANUP
|
||||||
|
+
|
||||||
|
AT_BANNER([Dynamically allocate picture file name.])
|
||||||
|
|
||||||
|
AT_SETUP([prepend fig file path to picture file name])
|
35
ca48cc.patch
Normal file
35
ca48cc.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From ca48ccc90bd3e7801a63cf9a541f292b28ed1260 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
||||||
|
Date: Mon, 17 Feb 2020 12:18:12 +0100
|
||||||
|
Subject: [PATCH] Amend previous commit - avoid buffer overflow
|
||||||
|
|
||||||
|
Regards to Dr. Werner Fink, see discussion to ticket #83.
|
||||||
|
---
|
||||||
|
fig2dev/read.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git fig2dev/read.c fig2dev/read.c
|
||||||
|
index 0bdcd3d..d1ae463 100644
|
||||||
|
--- fig2dev/read.c
|
||||||
|
+++ fig2dev/read.c
|
||||||
|
@@ -1489,8 +1489,6 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
|
||||||
|
|
||||||
|
len = strlen(start);
|
||||||
|
start[len++] = '\n'; /* put back the newline */
|
||||||
|
- start[len] = '\0'; /* and terminate the string,
|
||||||
|
- in case nothing else is found */
|
||||||
|
|
||||||
|
/* allocate plenty of space */
|
||||||
|
next = malloc(len + BUFSIZ);
|
||||||
|
@@ -1500,6 +1498,8 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
memcpy(next, start, len + 1);
|
||||||
|
+ next[len] = '\0'; /* terminate the initial string,
|
||||||
|
+ in case nothing else is found */
|
||||||
|
|
||||||
|
while ((chars = getline(line, line_len, fp)) != -1) {
|
||||||
|
++(*line_no);
|
||||||
|
--
|
||||||
|
2.16.4
|
||||||
|
|
@ -1,3 +1,16 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 30 10:48:31 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
||||||
|
|
||||||
|
- Add upstream security patches/commits
|
||||||
|
* 100e27.patch
|
||||||
|
* 3065eb.patch
|
||||||
|
* ca48cc.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 29 09:24:16 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
||||||
|
|
||||||
|
- Do hardening via compile and linker flags
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>
|
||||||
|
|
||||||
|
@ -70,6 +70,9 @@ Patch14: 2f8d1a.patch
|
|||||||
Patch15: 4d4e1f.patch
|
Patch15: 4d4e1f.patch
|
||||||
Patch16: 3165d8.patch
|
Patch16: 3165d8.patch
|
||||||
Patch17: 639c36.patch
|
Patch17: 639c36.patch
|
||||||
|
Patch18: 100e27.patch
|
||||||
|
Patch19: 3065eb.patch
|
||||||
|
Patch20: ca48cc.patch
|
||||||
Patch43: fig2dev-3.2.6-fig2mpdf.patch
|
Patch43: fig2dev-3.2.6-fig2mpdf.patch
|
||||||
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
|
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
|
||||||
Patch45: fig2dev-3.2.6a-RGBFILE.patch
|
Patch45: fig2dev-3.2.6a-RGBFILE.patch
|
||||||
@ -127,14 +130,59 @@ find -type f | xargs -r chmod a-x,go-w
|
|||||||
%patch15 -p0 -b .sec12
|
%patch15 -p0 -b .sec12
|
||||||
%patch16 -p0 -b .sec13
|
%patch16 -p0 -b .sec13
|
||||||
%patch17 -p0 -b .sec14
|
%patch17 -p0 -b .sec14
|
||||||
|
%patch18 -p0 -b .sec15
|
||||||
|
%patch19 -p0 -b .sec16
|
||||||
|
%patch20 -p0 -b .sec17
|
||||||
%patch43 -p2 -b .mpdf
|
%patch43 -p2 -b .mpdf
|
||||||
%patch44 -p1 -b .mpdfdoc
|
%patch44 -p1 -b .mpdfdoc
|
||||||
%patch45 -p1 -b .p45
|
%patch45 -p1 -b .p45
|
||||||
|
|
||||||
%build
|
%build
|
||||||
ulimit -v unlimited || :
|
ulimit -v unlimited || :
|
||||||
|
#
|
||||||
|
# Used for detection of hardening options of gcc and linker
|
||||||
|
#
|
||||||
|
cflags ()
|
||||||
|
{
|
||||||
|
local flag=$1; shift
|
||||||
|
local var=$1; shift
|
||||||
|
test -n "${flag}" -a -n "${var}" || return
|
||||||
|
case "${!var}" in
|
||||||
|
*${flag}*) return
|
||||||
|
esac
|
||||||
|
case "$flag" in
|
||||||
|
-Wl,*)
|
||||||
|
set -o noclobber
|
||||||
|
echo 'int main () { return 0; }' > ldtest.c
|
||||||
|
if ${CC:-gcc} -Werror $flag -o /dev/null -xc ldtest.c > /dev/null 2>&1 ; then
|
||||||
|
eval $var=\${$var:+\$$var\ }$flag
|
||||||
|
fi
|
||||||
|
set +o noclobber
|
||||||
|
rm -f ldtest.c
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if ${CC:-gcc} -Werror $flag -S -o /dev/null -xc /dev/null > /dev/null 2>&1 ; then
|
||||||
|
eval $var=\${$var:+\$$var\ }$flag
|
||||||
|
fi
|
||||||
|
if ${CXX:-g++} -Werror $flag -S -o /dev/null -xc++ /dev/null > /dev/null 2>&1 ; then
|
||||||
|
eval $var=\${$var:+\$$var\ }$flag
|
||||||
|
fi
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
CC=gcc
|
CC=gcc
|
||||||
CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 $(getconf LFS_CFLAGS)"
|
CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 $(getconf LFS_CFLAGS)"
|
||||||
|
cflags -D_FORTIFY_SOURCE=2 CFLAGS
|
||||||
|
cflags -fstack-protector CFLAGS
|
||||||
|
cflags -fstack-protector-strong CFLAGS
|
||||||
|
cflags -fstack-protector-all CFLAGS
|
||||||
|
cflags -Wformat CFLAGS
|
||||||
|
cflags -Wformat-security CFLAGS
|
||||||
|
cflags -Werror=format-security CFLAGS
|
||||||
|
cflags -fPIE CFLAGS
|
||||||
|
cflags -pie LDFLAGS
|
||||||
|
cflags -Wl,-z,relro LDFLAGS
|
||||||
|
cflags -Wl,-z,now LDFLAGS
|
||||||
export CC CFLAGS LDFLAGS
|
export CC CFLAGS LDFLAGS
|
||||||
chmod 755 configure
|
chmod 755 configure
|
||||||
%configure \
|
%configure \
|
||||||
|
Loading…
Reference in New Issue
Block a user