From 049340a9452dedf29d86e1502689b7217176556de61db317472dad5ddc74f573 Mon Sep 17 00:00:00 2001
From: "Dr. Werner Fink" <werner@suse.com>
Date: Thu, 5 Dec 2019 08:50:25 +0000
Subject: [PATCH] CVE-2019-19555

OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=56
---
 CVE-2019-19555.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++
 transfig.changes     |  6 ++++++
 transfig.spec        |  4 ++--
 3 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2019-19555.patch

diff --git a/CVE-2019-19555.patch b/CVE-2019-19555.patch
new file mode 100644
index 0000000..42e70a3
--- /dev/null
+++ b/CVE-2019-19555.patch
@@ -0,0 +1,50 @@
+Based on 19db5fe6f77ebad91af4b4ef0defd61bd0bb358f Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 4 Dec 2019 17:56:04 +0100
+Subject: [PATCH] Allow fig 2 text ending with multiple ^A, ticket #55
+
+---
+ fig2dev/read.c        |    4 ++--
+ fig2dev/tests/read.at |   11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- fig2dev/read.c
++++ fig2dev/read.c	2019-12-05 08:48:27.630190316 +0000
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2018 by Thomas Loimer
++ * Parts Copyright (c) 2015-2019 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -1328,7 +1328,7 @@ read_textobject(FILE *fp)
+ 		If we do not find the CONTROL-A on this line then this must
+ 		be a multi-line text object and we will have to read more. */
+ 
+-	    n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%[\1]",
++	    n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%1[\1]",
+ 		&t->type, &t->font, &t->size, &t->pen,
+ 		&t->color, &t->depth, &t->angle,
+ 		&t->flags, &t->height, &t->length,
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at	2019-12-05 08:48:27.634190239 +0000
+@@ -359,6 +359,17 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([allow text ending with multiple ^A, ticket #55])
++AT_KEYWORDS([read.c])
++AT_CHECK([fig2dev -L box <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 390 306 110 376 639 5 Text


++EOF
++], 1, ignore, [Invalid text object at line 2.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
diff --git a/transfig.changes b/transfig.changes
index 737215c..9d639a9 100644
--- a/transfig.changes
+++ b/transfig.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Dec  5 08:49:13 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch CVE-2019-19555.patch
+  * Even if we are not affected add fix for CVE-2019-19555 
+
 -------------------------------------------------------------------
 Tue Oct 29 11:07:12 UTC 2019 - Dr. Werner Fink <werner@suse.de>
 
diff --git a/transfig.spec b/transfig.spec
index 9c5e5e8..491a9e0 100644
--- a/transfig.spec
+++ b/transfig.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package transfig
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -38,7 +38,7 @@ BuildRequires:  tex(xmpmulti.sty)
 BuildRequires:  libpng-devel
 BuildRequires:  pkgconfig(xpm)
 #  www.xfig.org is dead
-Url:            http://mcj.sourceforge.net/
+URL:            http://mcj.sourceforge.net/
 Provides:       fig2dev
 Provides:       transfig.3.2.3d
 Requires:       ghostscript-fonts-std