Bug bsc#1069257, CVE-2017-16899

OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=43
This commit is contained in:
Dr. Werner Fink 2017-11-22 12:37:26 +00:00 committed by Git OBS Bridge
parent 875b3e390e
commit d0dca8bc4a
6 changed files with 154 additions and 1 deletions

View File

@ -0,0 +1,32 @@
From: Roland Rosenfeld <roland@debian.org>
Subject: rgb.txt can not be located via FIG2DEV_RGBFILE environment variable.
This allows to run the test suite without the package being installed before.
--- a/fig2dev/colors.c
+++ b/fig2dev/colors.c
@@ -27,6 +27,7 @@
#include "pi.h"
#include "fig2dev.h"
+#include <stdlib.h>
struct color_db {
char *name;
@@ -108,10 +109,15 @@ read_colordb(void)
char s[100], s1[100], *c1, *c2;
unsigned short r,g,b;
struct color_db *col;
+ char *rgbfile;
- fp = fopen(RGB_FILE, "r");
+ rgbfile = getenv("FIG2DEV_RGBFILE");
+ if (rgbfile == NULL) {
+ rgbfile = RGB_FILE;
+ }
+ fp = fopen(rgbfile, "r");
if (fp == NULL) {
- fprintf(stderr,"Couldn't open the RGB database file '%s'\n", RGB_FILE);
+ fprintf(stderr,"Couldn't open the RGB database file '%s'\n", rgbfile);
return -1;
}
if ((Xcolors = (struct color_db*) malloc(maxcolors*sizeof(struct color_db)))

View File

@ -0,0 +1,41 @@
Description: Some input sanitizing when reading FIG files.
Bug-Debian: https://bugs.debian.org/881143
Bug-Debian: https://bugs.debian.org/881144
Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
--- a/fig2dev/read.c
+++ b/fig2dev/read.c
@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp)
| PSFONT_TEXT;
/* keep the font number reasonable */
- if (t->font > MAXFONT(t))
+ if (t->font > MAXFONT(t)) {
t->font = MAXFONT(t);
+ } else if (t->font < 0 ) {
+ if (psfont_text(t) && t->font < -1)
+ t->font = -1;
+ else
+ t->font = 0;
+ }
fix_and_note_color(&t->color);
t->comments = attach_comments(); /* attach any comments */
return t;
--- a/fig2dev/read1_3.c
+++ b/fig2dev/read1_3.c
@@ -470,6 +470,15 @@ read_textobject(FILE *fp)
free((char*) t);
return(NULL);
}
+ /* keep the font number within valid range */
+ if (t->font > MAXFONT(t)) {
+ t->font = MAXFONT(t);
+ } else if (t->font < 0 ) {
+ if (psfont_text(t) && t->font < -1)
+ t->font = -1;
+ else
+ t->font = 0;
+ }
(void)strcpy(t->cstring, buf);
if (t->size == 0) t->size = 18;
return(t);

View File

@ -0,0 +1,14 @@
From: Roland Rosenfeld <roland@debian.org>
Subject: Fix typo in man page fig2ps2tex.
--- a/man/fig2ps2tex.1
+++ b/man/fig2ps2tex.1
@@ -22,7 +22,7 @@ for those systems with csh and dc.
Note that the
.I psfig
macro package provides a more sophisticated approach to including
-Postscript files in LaTeX docuements.
+Postscript files in LaTeX documents.
.I Fig2ps2tex
works with plain TeX however.

View File

@ -0,0 +1,47 @@
Description: Sanitize input of fill patterns.
Bug-Debian: https://bugs.debian.org/881396
Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
--- a/fig2dev/read.c
+++ b/fig2dev/read.c
@@ -71,6 +71,8 @@ static int save_comment(void);
#define FILL_CONVERT(f) ((v2_flag || (f) < WHITE_FILL) \
? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
+#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \
+ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
/* input buffer size */
#define BUF_SIZE 1024
@@ -547,6 +549,7 @@ read_arcobject(FILE *fp)
}
a->thickness *= round(THICK_SCALE);
a->fill_style = FILL_CONVERT(a->fill_style);
+ a->fill_style = FILL_SANITIZE(a->fill_style);
NOTE_FILL(a);
fix_and_note_color(&a->pen_color);
if (fa) {
@@ -730,6 +733,7 @@ read_ellipseobject(void)
fix_and_note_color(&e->pen_color);
e->thickness *= round(THICK_SCALE);
e->fill_style = FILL_CONVERT(e->fill_style);
+ e->fill_style = FILL_SANITIZE(e->fill_style);
NOTE_FILL(e);
e->comments = attach_comments(); /* attach any comments */
return e;
@@ -895,6 +899,7 @@ read_lineobject(FILE *fp)
l->radius *= round(THICK_SCALE);
l->thickness *= round(THICK_SCALE);
l->fill_style = FILL_CONVERT(l->fill_style);
+ l->fill_style = FILL_SANITIZE(l->fill_style);
NOTE_FILL(l);
fix_and_note_color(&l->pen_color);
if (fa) {
@@ -1051,6 +1056,7 @@ read_splineobject(FILE *fp)
}
s->thickness *= round(THICK_SCALE);
s->fill_style = FILL_CONVERT(s->fill_style);
+ s->fill_style = FILL_SANITIZE(s->fill_style);
NOTE_FILL(s);
fix_and_note_color(&s->pen_color);
if (fa) {

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Nov 22 12:25:21 UTC 2017 - werner@suse.de
- Added patches
* fig2dev-3.2.6a-RGBFILE.patch to let rgb.txt be located via
environment variable FIG2DEV_RGBFILE
* fig2dev-3.2.6a-man-typo.patch to fix simple typo in manual page
* fig2dev-3.2.6a-input-sanitizing.patch to do some input
sanitizing when reading FIG files (bsc#1069257, CVE-2017-16899)
* fig2dev-3.2.6a-style-overflow.patch
-------------------------------------------------------------------
Mon Feb 6 11:23:24 UTC 2017 - werner@suse.de

View File

@ -54,9 +54,9 @@ Requires: texlive-epstopdf
Version: 3.2.6a
Release: 0
Summary: Graphic Converter
#Source: http://sourceforge.net/projects/mcj/files/fig2dev-%{version}.tar.xz/download#/fig2dev-%{version}.tar.xz
License: MIT
Group: Productivity/Graphics/Convertors
#Source: http://sourceforge.net/projects/mcj/files/fig2dev-%{version}.tar.xz/download#/fig2dev-%{version}.tar.xz
Source: fig2dev-%{version}.tar.xz
Patch0: transfig-3.2.6.dif
Patch2: transfig.3.2.5-binderman.dif
@ -65,6 +65,10 @@ Patch4: transfig-fix-afl.patch
Patch42: fig2dev-3.2.6-genps_oldpatterns.patch
Patch43: fig2dev-3.2.6-fig2mpdf.patch
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
Patch45: fig2dev-3.2.6a-RGBFILE.patch
Patch46: fig2dev-3.2.6a-man-typo.patch
Patch47: fig2dev-3.2.6a-input-sanitizing.patch
Patch48: fig2dev-3.2.6a-style-overflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
%if "%_exec_prefix" == "/usr/X11R6"
@ -108,6 +112,10 @@ find -type f | xargs -r chmod a-x,go-w
%patch42 -p2 -b .oldp
%patch43 -p2 -b .mpdf
%patch44 -p1 -b .mpdfdoc
%patch45 -p1 -b .p45
%patch46 -p1 -b .p46
%patch47 -p1 -b .p47
%patch48 -p1 -b .p48
%build
CC=gcc