Accepting request 894796 from Publishing

- Add upstream commit as patch 6827c09d.patch Global buffer overflow in fig2dev/read.c in function read_colordef() (boo#1186329, CVE-2021-3561) OBS-URL: https://build.opensuse.org/request/show/894796 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=48
2021-05-23 21:30:39 +00:00 · 2021-05-23 21:30:39 +00:00 · 13bee7b999
commit 13bee7b999
parent 68586e206f 14435d2596
3 changed files with 77 additions and 0 deletions
--- a/6827c09d.patch
+++ b/6827c09d.patch
@ -0,0 +1,68 @@
 From 6827c09d2d6491cb2ae3ac7196439ff3aa791fd9 Mon Sep 17 00:00:00 2001
 From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
 Date: Sun, 25 Apr 2021 00:49:15 +0200
 Subject: [PATCH] Sanitize color definitions, ticket #116
 ---
 fig2dev/read.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)
 diff --git fig2dev/read.c fig2dev/read.c
 index 7e18fda..4c6bacc 100644
 --- fig2dev/read.c
 +++ fig2dev/read.c
@@ -520,30 +520,37 @@ read_colordef(char *line, int line_no)
 	if (num_usr_cols >= MAX_USR_COLS) {
 		if (num_usr_cols == MAX_USR_COLS) {
 -			put_msg("Maximum number of color definitions (%d) exceeded at line %d.",
 +			put_msg("Maximum number of color definitions (%d) "
 +					"exceeded at line %d.",
 					MAX_USR_COLS, line_no);
 			++num_usr_cols;
 		}
 		/* ignore additional colors */
 		return;
 	}
 -	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) {
 -		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) {
 -			put_msg("Invalid color definition at line %d: %s, setting to black (#00000).",
 -					line_no, line);
 -			r = g = b = 0;
 -		} else {
 -			put_msg("User color number at line %d out of range (%d), should be between %d and %d.",
 +	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) {
 +		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS &&
 +				r >=0 && r < 256 && g >=0 && g < 256 &&
 +				b >= 0 && b < 256 ) {
 +			user_col_indx[num_usr_cols] = c;
 +			user_colors[num_usr_cols].r = r;
 +			user_colors[num_usr_cols].g = g;
 +			user_colors[num_usr_cols].b = b;
 +			++num_usr_cols;
 +		} else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) {
 +			put_msg("User color number at line %d out of range (%d)"
 +					", should be between %d and %d.",
 					line_no, c, NUM_STD_COLS,
 					NUM_STD_COLS + MAX_USR_COLS - 1);
 -			return;
 +		} else {
 +			put_msg("Invalid color definition at line %d: %s, color"
 +				       " values must be between 0 through 255.",
 +								line_no, line);
 		}
 +	} else {
 +		put_msg("Invalid color definition at line %d: %s.",
 +							line_no, line);
 	}
 -	user_col_indx[num_usr_cols] = c;
 -	user_colors[num_usr_cols].r = r;
 -	user_colors[num_usr_cols].g = g;
 -	user_colors[num_usr_cols].b = b;
 -	++num_usr_cols;
 }
 static void
 -- 
 2.26.2
--- a/transfig.changes
+++ b/transfig.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Fri May 21 11:50:39 UTC 2021 - Dr. Werner Fink <werner@suse.de>
 - Add upstream commit as patch 6827c09d.patch
  Global buffer overflow in fig2dev/read.c in function read_colordef() 
  (boo#1186329, CVE-2021-3561) 
 -------------------------------------------------------------------
 Thu Apr  1 11:58:30 UTC 2021 - Dr. Werner Fink <werner@suse.de>
--- a/transfig.spec
+++ b/transfig.spec
@ -53,6 +53,7 @@ License:        MIT
 Group:          Productivity/Graphics/Convertors
 Source:         fig2dev-%{version}.tar.xz
 Patch0:         transfig-3.2.8.dif
 Patch1:         6827c09d.patch
 Patch4:         transfig-fix-afl.patch
 Patch43:        fig2dev-3.2.6-fig2mpdf.patch
 Patch44:        fig2dev-3.2.6-fig2mpdf-doc.patch
@ -94,6 +95,7 @@ Authors:
 %setup -q -n fig2dev-%{version}
 find -type f | xargs -r chmod a-x,go-w
 %patch0 -p0 -b .0
 %patch1 -p0 -b .1
 %patch4 -p1 -b .afl
 %patch43 -p1 -b .mpdf
 %patch44 -p1 -b .mpdfdoc