From 28a9426cfc7cc14fc6bb0c037a144e3fc4a39005896016901fcbe9054bbf032f Mon Sep 17 00:00:00 2001
From: Thomas Renninger <trenn@suse.com>
Date: Fri, 8 Mar 2024 08:42:51 +0000
Subject: [PATCH] Accepting request 1156036 from home:trenn:branches:graphics

- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file
  bsc#1219491
A gvc-detect-plugin-installation-failure-and-display-an-error.patch
- Some alphabetical re-ordering and other spec file changes which should
  not have any functional change which came from some kind of auto-spec
  cleaner

OBS-URL: https://build.opensuse.org/request/show/1156036
OBS-URL: https://build.opensuse.org/package/show/graphics/graphviz?expand=0&rev=191
---
 graphviz.changes                              | 10 ++++
 graphviz.spec                                 | 51 +++++++++----------
 ...llation-failure-and-display-an-error.patch | 31 +++++++++++
 3 files changed, 64 insertions(+), 28 deletions(-)
 create mode 100644 gvc-detect-plugin-installation-failure-and-display-an-error.patch

diff --git a/graphviz.changes b/graphviz.changes
index 9d9534d..cc6c7c6 100644
--- a/graphviz.changes
+++ b/graphviz.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Mar  7 14:57:35 UTC 2024 - Thomas Renninger <trenn@suse.de>
+
+- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a file
+  bsc#1219491
+A gvc-detect-plugin-installation-failure-and-display-an-error.patch
+- Some alphabetical re-ordering and other spec file changes which should
+  not have any functional change which came from some kind of auto-spec
+  cleaner
+
 -------------------------------------------------------------------
 Thu Feb 22 07:45:53 UTC 2024 - Michael Vetter <mvetter@suse.com>
 
diff --git a/graphviz.spec b/graphviz.spec
index 1089d49..bb9cc91 100644
--- a/graphviz.spec
+++ b/graphviz.spec
@@ -17,43 +17,32 @@
 
 
 %global flavor @BUILD_FLAVOR@%{nil}
-
 %if "%{flavor}" != ""
 %define psuffix -%{flavor}
 %else
 %define psuffix %{nil}
 %endif
-
 #fixes build failure caused by new .debug files, not sure how to fix correctly
-
 %define mname graphviz
 # name of the plugin config file that dot creates
 %define config_file config6
-# Java and ocaml are not in ring1, thus this gets overriden in staging
-# Also, both install into generic locations instead of a language
-# specific prefix, disable both
-%bcond_with    java
-%bcond_with    ocaml
 %if "%{flavor}" == "addons"
+%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
+%define phpext_dir  %(%{__php_config} --extension-dir)
+%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc)
 # PHP8 requires swig >= 4.1.0, https://github.com/swig/swig/commit/56d74355735f3661406d69d04d89d1bdb4ca96f9
 %if 0%{?suse_version} >= 1599
 %define php_version 8
 %else
 %define php_version 7
 %endif
-%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
-%define phpext_dir  %(%{__php_config} --extension-dir)
-
-%define ruby_version $(pkg-config --variable=RUBY_API_VERSION %{_libdir}/pkgconfig/ruby-*.pc)
 %endif
-
 # No pkgconfig(gts) in sle12 GA or SPx, but in sle15
 %if 0%{?suse_version} == 1315 && !0%{?is_opensuse}
 %bcond_with    gts
 %else
 %bcond_without gts
 %endif
-
 %define cdt_soversion 5
 %define cgraph_soversion 6
 %define gvc_soversion 6
@@ -61,7 +50,11 @@
 %define lab_gamut_soversion 1
 %define pathplan_soversion 4
 %define xdot_soversion 4
-
+# Java and ocaml are not in ring1, thus this gets overriden in staging
+# Also, both install into generic locations instead of a language
+# specific prefix, disable both
+%bcond_with    java
+%bcond_with    ocaml
 Name:           graphviz%{psuffix}
 Version:        2.49.3
 Release:        0
@@ -83,7 +76,8 @@ Patch5:         graphviz-no_strict_aliasing.patch
 Patch6:         graphviz-no_php_extra_libs.patch
 # https://gitlab.com/graphviz/graphviz/-/issues/2303
 Patch7:         swig-4.1.0.patch
-
+#PATCH-FIX-UPSTREAM gvc: detect plugin installation failure and display an error
+Patch8:         gvc-detect-plugin-installation-failure-and-display-an-error.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -96,12 +90,13 @@ BuildRequires:  libstdc++-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(expat)
+BuildRequires:  pkgconfig(zlib)
+Requires:       bitstream-vera-fonts
+Requires:       graphviz-plugins-core = %{version}
+Recommends:     graphviz-gd = %{version}
 %if %{with gts}
 BuildRequires:  pkgconfig(gts)
 %endif
-BuildRequires:  pkgconfig(zlib)
-Requires:       graphviz-plugins-core = %{version}
-Recommends:     graphviz-gd = %{version}
 %if "%{flavor}" == "addons"
 BuildRequires:  freeglut-devel
 BuildRequires:  ghostscript
@@ -109,13 +104,6 @@ BuildRequires:  libjpeg-devel
 BuildRequires:  libpng-devel
 BuildRequires:  libwebp-devel
 BuildRequires:  perl
-%if %{php_version} == 8
-BuildRequires:  php8-devel
-BuildRequires:  swig >= 4.1.0
-%else
-BuildRequires:  php7-devel
-BuildRequires:  swig >= 3.0.11
-%endif
 BuildRequires:  ruby-devel
 BuildRequires:  pkgconfig(cairo)
 BuildRequires:  pkgconfig(fontconfig)
@@ -136,6 +124,13 @@ BuildRequires:  pkgconfig(tcl)
 BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xaw7)
 BuildRequires:  pkgconfig(xext)
+%if %{php_version} == 8
+BuildRequires:  php8-devel
+BuildRequires:  swig >= 4.1.0
+%else
+BuildRequires:  php7-devel
+BuildRequires:  swig >= 3.0.11
+%endif
 %if %{with java}
 BuildRequires:  java-devel >= 1.6.0
 %endif
@@ -148,7 +143,6 @@ BuildRequires:  pkgconfig(Qt5Core)
 BuildRequires:  pkgconfig(Qt5PrintSupport)
 BuildRequires:  pkgconfig(Qt5Widgets)
 %endif
-Requires:       bitstream-vera-fonts
 
 %description
 A collection of tools and tcl packages for the manipulation and layout
@@ -176,7 +170,7 @@ Experimental large graph viewer using graphviz
 Summary:        Graphviz plugins that use gtk/GNOME
 Group:          Productivity/Graphics/Visualization/Graph
 Requires(post): graphviz = %{version}
-Supplements:    packageand(graphviz:xorg-x11-fonts-core)
+Supplements:    (graphviz and xorg-x11-fonts-core)
 
 %description -n graphviz-gnome
 Graphviz plugins that use gtk/GNOME.
@@ -414,6 +408,7 @@ programs that use the graphviz libraries including man3 pages.
 %patch -P 5 -p1
 %patch -P 6
 %patch -P 7 -p1
+%patch -P 8 -p1
 
 # pkg-config returns 0 (TRUE) when guile-2.2 is present
 if pkg-config --atleast-version=2.2 guile-2.2; then
diff --git a/gvc-detect-plugin-installation-failure-and-display-an-error.patch b/gvc-detect-plugin-installation-failure-and-display-an-error.patch
new file mode 100644
index 0000000..e349251
--- /dev/null
+++ b/gvc-detect-plugin-installation-failure-and-display-an-error.patch
@@ -0,0 +1,31 @@
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Subject: gvc: detect plugin installation failure and display an error
+References: bsc#1219491
+Patch-Mainline: 10.0.1
+Git-commit: a95f977f5d809915ec4b14836d2b5b7f5e74881e
+Git-repo: git@gitlab.com:graphviz/graphviz.git.git
+
+Gitlab: fixes #2441
+Reported-by: GJDuck
+
+A malformed config6 file that leads to plugin search failing no longer causes
+out-of-bounds memory reads. This now causes an error message and graceful
+failure. #2441
+
+
+Signed-off-by:  <trenn@suse.com>
+Index: graphviz-2.49.3/lib/gvc/gvconfig.c
+===================================================================
+--- graphviz-2.49.3.orig/lib/gvc/gvconfig.c
++++ graphviz-2.49.3/lib/gvc/gvconfig.c
+@@ -183,6 +183,10 @@ static int gvconfig_plugin_install_from_
+ 	do {
+ 	    api = token(&nest, &s);
+ 	    gv_api = gvplugin_api(api);
++	    if (gv_api == (api_t)-1) {
++		agerr(AGERR, "config error: %s %s not found\n", path, api);
++		return 0;
++	    }
+ 	    do {
+ 		if (nest == 2) {
+ 		    type = token(&nest, &s);