bsc#1159130 and bsc#1159293

OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=59

CVE-2019-19746.patch

@@ -0,0 +1,69 @@
+Based on 3065abc7b4f740ed6532322843531317de782a26 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 10 Dec 2019 13:17:36 +0100
+Subject: [PATCH] Reject huge arrow types, ticket #57
+
+An arrow type being large enough would pass the test for
+a valid type by integer overflow.
+---
+ fig2dev/arrow.c       |   13 ++++++++-----
+ fig2dev/tests/read.at |   12 ++++++++++++
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+--- fig2dev/arrow.c
++++ fig2dev/arrow.c	2020-01-21 11:02:33.457498151 +0000
+@@ -1,9 +1,10 @@
+ /*
+  * Fig2dev: Translate Fig code to various Devices
+- * Copyright (c) 1985 by Supoj Sutantavibul
+  * Copyright (c) 1991 by Micah Beck
+- * Parts Copyright (c) 1989-2002 by Brian V. Smith
+- * Parts Copyright (c) 2015-2018 by Thomas Loimer
++ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
++ * Parts Copyright (c) 1989-2015 by Brian V. Smith
++ * Parts Copyright (c) 2015-2019 by Thomas Loimer
++ *
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -78,7 +79,9 @@ make_arrow(int type, int style, double t
+ {
+ 	F_arrow		*a;
+ 
+-	if (style < 0 || style > 1 || type < 0 || (type + 1) * 2 > NUMARROWS)
++	if (style < 0 || style > 1 || type < 0 ||
++			/* beware of int overflow */
++			type > NUMARROWS || (type + 1) * 2 > NUMARROWS)
+ 		return NULL;
+ 	if (NULL == (Arrow_malloc(a))) {
+ 		put_msg(Err_mem);
+@@ -90,7 +93,7 @@ make_arrow(int type, int style, double t
+ 
+ 	a->type = type;
+ 	a->style = style;
+-	a->thickness = thickness*THICK_SCALE;
++	a->thickness = thickness * THICK_SCALE;
+ 	a->wid = wid;
+ 	a->ht = ht;
+ 	return a;
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at	2020-01-21 11:02:33.457498151 +0000
+@@ -135,6 +135,18 @@ A single point with a backward arrow - r
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject huge arrow-type, ticket #57])
++AT_KEYWORDS(arrow.c arrow)
++AT_CHECK([fig2dev -L box <<EOF
++FIG_FILE_TOP
++2 1 0 1 -1 -1 50 -1 -1 0. 0 0 0 1 0 2
++	10000000000000 0 1 60 120
++0 0 600 0
++EOF
++], 1, ignore, [Invalid forward arrow at line 11.
++])
++AT_CLEANUP
++
+ AT_SETUP([reject negative font type])
+ AT_KEYWORDS(read.c font)
+ AT_CHECK([fig2dev -L box <<EOF

c379fe.patch

@@ -0,0 +1,65 @@
+Based on c379fe50574e5b5dd6e17f15d8473c5713d1b823 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 11 Dec 2019 21:36:46 +0100
+Subject: [PATCH] Convert polygons with too few points to polylines
+
+As a side effect, this also fixes ticket #56.
+---
+ fig2dev/read.c        |   16 ++++++++++++++++
+ fig2dev/tests/read.at |   11 +++++++++++
+ 2 files changed, 27 insertions(+)
+
+--- fig2dev/read.c
++++ fig2dev/read.c	2020-01-21 11:29:27.367140319 +0000
+@@ -793,8 +793,10 @@ read_ellipseobject(void)
+ /*
+  * Sanitize line objects. Return 0 on success, -1 otherwise.
+  * On error, call free_linestorage(l) after sanitize_lineobject().
++ *
+  * polylines: remove fill, if less than 3 points
+  *		remove arrows, if only one point
++ * polygons: convert to polyline if less than 3 unique points
+  * rectangles, polygons: last point must coincide with first point
+  * rectangle: convert to polygon, if not 5 points
+  * rectangle with rounded corners: error, if not 5 points
+@@ -854,6 +856,20 @@ sanitize_lineobject(
+ 	    q->y = l->points->y;
+ 	}
+ 
++	if (l->type == T_POLYGON) {
++		int	npts;
++
++		q = l->points;
++		for (npts = 1; q->next && npts < 4; q = q->next)
++			++npts;
++		if (npts < 4 ) {
++			put_msg("A polygon with %d points at line %d - convert to a polyline.",
++			npts, line_no);
++			l->type = T_POLYLINE;
++			return 0;
++		}
++	}
++
+ 	if (l->type == T_BOX || l->type == T_ARC_BOX || l->type == T_PIC_BOX) {
+ 	    int	npts = 1;
+ 	    for (q = l->points; q->next; q = q->next)
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at	2020-01-21 11:29:27.367140319 +0000
+@@ -147,6 +147,17 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert short polygon to polyline, ticket #56])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L ptk <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0.0 0 0 -1 0 0 1
++	0 0
++EOF
++], 0, ignore, [A polygon with 1 points at line 11 - convert to a polyline.
++])
++AT_CLEANUP
++
+ AT_SETUP([reject negative font type])
+ AT_KEYWORDS(read.c font)
+ AT_CHECK([fig2dev -L box <<EOF

transfig.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jan 21 12:15:46 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Add security patches
+  * CVE-2019-19746.patch -- bsc#1159130
+  * c379fe.patch ... currently without CVE and bugzilla entry
+  * CVE-2019-19797.patch -- bsc#1159293
+
 -------------------------------------------------------------------
 Thu Dec  5 08:49:13 UTC 2019 - Dr. Werner Fink <werner@suse.de>
 

transfig.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package transfig
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -57,6 +57,9 @@ Patch1:         CVE-2019-19555.patch
 Patch2:         transfig.3.2.5-binderman.dif
 Patch3:         transfig.3.2.5d-mediaboxrealnb.dif
 Patch4:         transfig-fix-afl.patch
+Patch5:         CVE-2019-19746.patch
+Patch6:         c379fe.patch
+Patch7:         CVE-2019-19797.patch
 Patch43:        fig2dev-3.2.6-fig2mpdf.patch
 Patch44:        fig2dev-3.2.6-fig2mpdf-doc.patch
 Patch45:        fig2dev-3.2.6a-RGBFILE.patch
@@ -101,6 +104,9 @@ find -type f | xargs -r chmod a-x,go-w
 %patch2 -p0 -b .bm
 %patch3 -p0 -b .mbox
 %patch4 -p1 -b .afl
+%patch5 -p0 -b .sec2
+%patch6 -p0 -b .sec3
+%patch7 -p0 -b .sec4
 %patch43 -p2 -b .mpdf
 %patch44 -p1 -b .mpdfdoc
 %patch45 -p1 -b .p45