From 55355626e50a9a9a24e05162f57a7879572651454c4fb37de8187b5bb975175a Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Tue, 11 Feb 2020 11:42:48 +0000 Subject: [PATCH] Various security fixes OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=62 --- 00cded.patch | 79 +++++++++++++++++++++++++++ 2f8d1a.patch | 63 ++++++++++++++++++++++ 3165d8.patch | 75 ++++++++++++++++++++++++++ 421afa.patch | 68 ++++++++++++++++++++++++ 4d4e1f.patch | 114 +++++++++++++++++++++++++++++++++++++++ 639c36.patch | 38 +++++++++++++ acccc8.patch | 84 +++++++++++++++++++++++++++++ d6a10d.patch | 40 ++++++++++++++ d70e4b.patch | 129 +++++++++++++++++++++++++++++++++++++++++++++ e3cee2.patch | 33 ++++++++++++ transfig-3.2.6.dif | 32 +++++++++++ transfig.changes | 15 ++++++ transfig.spec | 29 ++++++++-- 13 files changed, 795 insertions(+), 4 deletions(-) create mode 100644 00cded.patch create mode 100644 2f8d1a.patch create mode 100644 3165d8.patch create mode 100644 421afa.patch create mode 100644 4d4e1f.patch create mode 100644 639c36.patch create mode 100644 acccc8.patch create mode 100644 d6a10d.patch create mode 100644 d70e4b.patch create mode 100644 e3cee2.patch diff --git a/00cded.patch b/00cded.patch new file mode 100644 index 0000000..adf0034 --- /dev/null +++ b/00cded.patch @@ -0,0 +1,79 @@ +From 00cdedac7a0b029846dee891769a1e77df83a01b Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Sat, 25 Jan 2020 15:04:59 +0100 +Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81 + +The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX +fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0. +--- + fig2dev/dev/genpict2e.c | 9 +++++---- + fig2dev/dev/gentikz.c | 9 +++++---- + fig2dev/tests/read.at | 10 ++++++++++ + 3 files changed, 20 insertions(+), 8 deletions(-) + +diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c +index 6ab442e..dd6fd95 100644 +--- fig2dev/dev/genpict2e.c ++++ fig2dev/dev/genpict2e.c +@@ -2223,11 +2223,12 @@ put_font(F_text *t) + } + + if (psfont_text(t)) +- fprintf(tfp, "\\usefont%s", +- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]); ++ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ? ++ t->font + 1 : 0]); + else +- fprintf(tfp, "\\normalfont%s ", +- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); ++ /* Default psfont is -1, default texfont 0, also accept -1. */ ++ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ? ++ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]); + } + + void +diff --git fig2dev/dev/gentikz.c fig2dev/dev/gentikz.c +index 797ca1c..b374e10 100644 +--- fig2dev/dev/gentikz.c ++++ fig2dev/dev/gentikz.c +@@ -1772,11 +1772,12 @@ put_font(F_text *t) + } + + if (psfont_text(t)) +- fprintf(tfp, "\\usefont%s", +- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]); ++ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ? ++ t->font + 1 : 0]); + else +- fprintf(tfp, "\\normalfont%s ", +- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); ++ /* Default psfont is -1, default texfont 0, also accept -1. */ ++ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ? ++ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]); + } + + /* +diff --git fig2dev/tests/read.at fig2dev/tests/read.at +index 9b34bfb..331afb5 100644 +--- fig2dev/tests/read.at ++++ fig2dev/tests/read.at +@@ -406,6 +406,16 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([allow tex font -1, ticket #81]) ++AT_DATA([text.fig], [FIG_FILE_TOP ++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 ++]) ++AT_CHECK([fig2dev -L pict2e text.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L tikz text.fig ++], 0, ignore) ++AT_CLEANUP ++ + AT_BANNER([Dynamically allocate picture file name.]) + + AT_SETUP([prepend fig file path to picture file name]) +-- +2.16.4 + diff --git a/2f8d1a.patch b/2f8d1a.patch new file mode 100644 index 0000000..63a4690 --- /dev/null +++ b/2f8d1a.patch @@ -0,0 +1,63 @@ +From 2f8d1ae9763dcdc99b88a2b14849fe37174bcd69 Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Wed, 29 Jan 2020 22:53:32 +0100 +Subject: [PATCH] Reject out-of-range pattern, ticket #63 + +--- + fig2dev/object.h | 2 +- + fig2dev/tests/read.at | 19 +++++++++++++++++-- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git fig2dev/object.h fig2dev/object.h +index 8464010..6830b13 100644 +--- fig2dev/object.h ++++ fig2dev/object.h +@@ -61,7 +61,7 @@ typedef struct f_comment { + o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \ + o->thickness < 0 || o->depth < 0 || o->depth > 999 || \ + o->fill_style < UNFILLED || \ +- o->fill_style > NUMSHADES + NUMTINTS + NUMPATTERNS || \ ++ o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \ + o->style_val < 0.0 + + typedef struct f_ellipse { +|diff --git fig2dev/tests/read.at fig2dev/tests/read.at +|index 2d066e4..bf117ee 100644 +|--- fig2dev/tests/read.at +|+++ fig2dev/tests/read.at +|@@ -421,15 +421,30 @@ AT_CLEANUP +| +| AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) +| AT_KEYWORDS([read.c svg]) +|-AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) +|+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], +|+1, ignore, [ASCII NUL ('\0') in line 11. +|+]) +| AT_CLEANUP +| +| AT_SETUP([reject out of range text angle, ticket #76]) +|+AT_KEYWORDS([read.c pstricks]) +| AT_CHECK([fig2dev -L pstricks < +Date: Tue, 4 Feb 2020 20:58:27 +0100 +Subject: [PATCH] Allow arrows with zero length on arcs, ticket #74 + +--- + fig2dev/bound.c | 9 +++++---- + fig2dev/tests/output.at | 10 +++++++++- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git fig2dev/bound.c fig2dev/bound.c +index ce7f4d1..d305ab9 100644 +--- fig2dev/bound.c ++++ fig2dev/bound.c +@@ -3,7 +3,7 @@ + * Copyright (c) 1985 Supoj Sutanthavibul + * Copyright (c) 1991 Micah Beck + * Parts Copyright (c) 1989-2015 by Brian V. Smith +- * Parts Copyright (c) 2015-2019 Thomas Loimer ++ * Parts Copyright (c) 2015-2020 Thomas Loimer + * + * Any party obtaining a copy of these files is granted, free of charge, a + * full and unrestricted irrevocable, world-wide, paid up, royalty-free, +@@ -1095,9 +1095,8 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2, + r=sqrt(dx*dx+dy*dy); + h = (double) arrow->ht; + /* lines are made a little thinner in set_linewidth */ +- thick = (arrow->thickness <= THICK_SCALE) ? +- 0.5* arrow->thickness : +- arrow->thickness - THICK_SCALE; ++ thick = arrow->thickness <= THICK_SCALE ? ++ 0.5 * arrow->thickness : arrow->thickness - THICK_SCALE; + /* lpt is the amount the arrowhead extends beyond the end of the line */ + lpt = thick/2.0/(arrow->wid/h/2.0); + /* add this to the length */ +@@ -1107,6 +1106,8 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2, + if (h > 2.0*r) { + arc_tangent_int(x1,y1,x2,y2,direction,x,y); + return; ++ } else if (h < thick) { ++ h = thick; + } + + beta=atan2(dy,dx); +diff --git fig2dev/tests/output.at fig2dev/tests/output.at +index fd06727..e0d088c 100644 +--- fig2dev/tests/output.at ++++ fig2dev/tests/output.at +@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to various Devices + dnl Copyright (c) 1991 by Micah Beck + dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul + dnl Parts Copyright (c) 1989-2015 by Brian V. Smith +-dnl Parts Copyright (c) 2015-2019 by Thomas Loimer ++dnl Parts Copyright (c) 2015-2020 by Thomas Loimer + dnl + dnl Any party obtaining a copy of these files is granted, free of charge, a + dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free, +@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \ + ], 0, ignore) + AT_CLEANUP + ++AT_SETUP([accept arc arrows with zero height, ticket #74]) ++AT_KEYWORDS(pict2e) ++AT_CHECK([fig2dev -L pict2e < +Date: Mon, 27 Jan 2020 23:01:11 +0100 +Subject: [PATCH] Accept -1 TeX font in more places, fixes #71, #75 + +Continue the work started in commit [00cded]. Fix the fundamental issue of +tickets #71 and #75, which was hidden by commit [d70e4b]. +--- + fig2dev/dev/texfonts.h | 14 +++++++++----- + fig2dev/tests/read.at | 4 +++- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git fig2dev/dev/texfonts.h fig2dev/dev/texfonts.h +index 89097f2..e5254b6 100644 +--- fig2dev/dev/texfonts.h ++++ fig2dev/dev/texfonts.h +@@ -35,17 +35,21 @@ extern char texfontsizes[]; + #define MAXFONTSIZE 42 + + #ifdef NFSS +-#define TEXFAMILY(F) (texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) +-#define TEXSERIES(F) (texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) +-#define TEXSHAPE(F) (texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) ++#define TEXFAMILY(F) texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] ++#define TEXSERIES(F) texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] ++#define TEXSHAPE(F) texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] + #endif +-#define TEXFONT(F) (texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) ++#define TEXFONT(F) texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] + + /* + #define TEXFONTSIZE(S) (texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\ + : (MAXFONTSIZE-1)]) + */ +-#define TEXFONTSIZE(S) (((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S)) ++#define TEXFONTSIZE(S) ((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S)) + #define TEXFONTMAG(T) TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag)) + + void setfigfont(F_text *text); /* genepic.c */ +|diff --git fig2dev/tests/read.at fig2dev/tests/read.at +|index 60982b0..726e6da 100644 +|--- fig2dev/tests/read.at +|+++ fig2dev/tests/read.at +|@@ -406,7 +406,7 @@ EOF +| ]) +| AT_CLEANUP +| +|-AT_SETUP([allow tex font -1, ticket #81]) +|+AT_SETUP([allow tex font -1, tickets #71, #75, #81]) +| AT_KEYWORDS([pict2e tikz]) +| AT_DATA([text.fig], [FIG_FILE_TOP +| 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 +|@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig +| ], 0, ignore) +| AT_CHECK([fig2dev -L tikz text.fig +| ], 0, ignore) +|+AT_CHECK([fig2dev -L mp text.fig +|+], 0, ignore) +| AT_CLEANUP +| +| AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) +-- +2.16.4 + diff --git a/4d4e1f.patch b/4d4e1f.patch new file mode 100644 index 0000000..1ac8d84 --- /dev/null +++ b/4d4e1f.patch @@ -0,0 +1,114 @@ +From 4d4e1fdac467c386cba8706aa0067d5ab8da02d7 Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Mon, 3 Feb 2020 23:39:32 +0100 +Subject: [PATCH] Allow DEFAULT color in cgm and ge output, #72, #73 + +Also, fix a memory leak in gencgm.c. +--- + fig2dev/dev/gencgm.c | 8 +++++++- + fig2dev/dev/genge.c | 7 ++++--- + fig2dev/tests/data/line.fig | 2 +- + fig2dev/tests/output.at | 12 ++++++++++++ + 4 files changed, 24 insertions(+), 5 deletions(-) + +diff --git fig2dev/dev/gencgm.c fig2dev/dev/gencgm.c +index 0f472a8..e12940f 100644 +--- fig2dev/dev/gencgm.c ++++ fig2dev/dev/gencgm.c +@@ -151,9 +151,11 @@ gencgm_start(F_compound *objects) + { + int i; + char *p, *figname; ++ char *figname_buf = NULL; + + if (from) { +- figname = strdup(from); ++ figname_buf = strdup(from); ++ figname = figname_buf; + p = strrchr(figname, '/'); + if (p) + figname = p+1; /* remove path from name for comment in file */ +@@ -255,6 +257,8 @@ gencgm_start(F_compound *objects) + print_comments("% ",objects->comments, " %"); + fprintf(tfp,"%% %%\n"); + } ++ if (figname_buf) ++ free(figname_buf); + } + + int +@@ -552,6 +556,8 @@ hatchindex(index) + static void + getrgb(int color, int *r, int *g, int *b) + { ++ if (color < 0) /* DEFAULT color is black */ ++ color = 0; + if (color < NUM_STD_COLS) { + *r = stdcols[color].r * 255.; + *g = stdcols[color].g * 255.; +diff --git fig2dev/dev/genge.c fig2dev/dev/genge.c +index b171f39..5697bb6 100644 +--- fig2dev/dev/genge.c ++++ fig2dev/dev/genge.c +@@ -56,7 +56,8 @@ static void genge_ctl_spline(F_spline *s); + /* color mapping */ + /* xfig ge */ + +-static int GE_COLORS[] = { 1, /* black black */ ++static int GE_COLORS[] = { 1, /* DEFAULT == black */ ++ 1, /* black black */ + 8, /* blue blue */ + 7, /* green green */ + 6, /* cyan cyan */ +@@ -438,7 +439,7 @@ back_arrow(F_line *l) + static void + set_color(int col) + { +- fprintf(tfp,"c%02d ",GE_COLORS[col]); ++ fprintf(tfp,"c%02d ",GE_COLORS[col + 1]); + } + + /* set fill if there is a fill style */ +@@ -447,7 +448,7 @@ static void + set_fill(int style, int color) + { + if (style != UNFILLED) +- fprintf(tfp,"C%02d ",GE_COLORS[color]); ++ fprintf(tfp,"C%02d ",GE_COLORS[color + 1]); + } + + /* +diff --git fig2dev/tests/data/line.fig fig2dev/tests/data/line.fig +index e033b12..bfc4976 100644 +--- fig2dev/tests/data/line.fig ++++ fig2dev/tests/data/line.fig +@@ -7,5 +7,5 @@ A9 + Single + -2 + 1200 2 +-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3 ++2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3 + 50 50 500 50 500 200 +diff --git fig2dev/tests/output.at fig2dev/tests/output.at +index 9a1bc45..fd06727 100644 +--- fig2dev/tests/output.at ++++ fig2dev/tests/output.at +@@ -261,3 +261,15 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \ + latex -halt-on-error big1.tex && latex -halt-on-error big2.tex + ], 0, ignore) + AT_CLEANUP ++ ++ ++AT_BANNER([Test other output languages.]) ++ ++AT_SETUP([allow default color in ge, cgm output, #72, #73]) ++AT_KEYWORDS(cgm ge) ++AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L ge $srcdir/data/line.fig ++], 0, ignore) ++AT_CLEANUP ++ +-- +2.16.4 + diff --git a/639c36.patch b/639c36.patch new file mode 100644 index 0000000..beda148 --- /dev/null +++ b/639c36.patch @@ -0,0 +1,38 @@ +From 639c36010a120e97a6e82e7cd57cbf9dbf4b64f1 Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Tue, 4 Feb 2020 21:52:25 +0100 +Subject: [PATCH] Fix pstricks fill with non-solid default color, #77 + +In the pstricks output, filling an area with the shaded or tinted default color +is now equivalent to filling with shaded or tinted black color. +--- + fig2dev/dev/genpstricks.c | 3 ++- + fig2dev/tests/output.at | 1 - + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git fig2dev/dev/genpstricks.c fig2dev/dev/genpstricks.c +index 07c4d09..5acc1f6 100644 +--- fig2dev/dev/genpstricks.c ++++ fig2dev/dev/genpstricks.c +@@ -1856,7 +1856,8 @@ format_options(char *options, char *prefix, char *postfix, char *sqrb_init, + else if (fill_style <= 40) + /* shade or tint fill */ + sprintf(tmps, "fillstyle=solid,fillcolor=%s", +- shade_or_tint_name_after_declare_color(tmpc, fill_style, fill_color)); ++ shade_or_tint_name_after_declare_color(tmpc, fill_style, ++ fill_color == DEFAULT ? CT_BLACK : fill_color)); + else { + char *type = 0, *ps; + int angle = 0; +diff --git fig2dev/tests/output.at fig2dev/tests/output.at +index e0d088c..e1e5ca4 100644 +--- fig2dev/tests/output.at ++++ fig2dev/tests/output.at +@@ -280,4 +280,3 @@ AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig + AT_CHECK([fig2dev -L ge $srcdir/data/line.fig + ], 0, ignore) + AT_CLEANUP +- +-- +2.16.4 + diff --git a/acccc8.patch b/acccc8.patch new file mode 100644 index 0000000..87d4c5e --- /dev/null +++ b/acccc8.patch @@ -0,0 +1,84 @@ +From acccc89c20206a5db1f463438ba444e35bcb400e Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Tue, 28 Jan 2020 22:56:40 +0100 +Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76 + +In fact, generously extend the allowed range to -7 to 7. +Sane applications, e.g., xfig, certainly keep the angles within one revolution. +--- + CHANGES | 6 +++--- + fig2dev/object.h | 7 ++++--- + fig2dev/tests/read.at | 8 ++++++++ + 3 files changed, 15 insertions(+), 6 deletions(-) + +|diff --git CHANGES CHANGES +|index 4834e50..52daead 100644 +|--- CHANGES +|+++ CHANGES +|@@ -6,9 +6,9 @@ Patchlevel Xx (Xxx 20xx) +| +| BUGS FIXED: +| Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#. +|- o Fix ticket #81. +|- o Do not allow ASCII NUL anywhere in input. +|- Fixes tickets #65, #68, #71, #73, #75, #80. +|+ o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76. +|+ o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81. +|+ o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80. +| o Use getline() to improve input scanning. +| Fixes tickets #58, #59, #61, #62, #67, #78, #79. +| o Correctly scan embedded pdfs for /MediaBox value. +diff --git fig2dev/object.h fig2dev/object.h +index fe56bbb..8464010 100644 +--- fig2dev/object.h ++++ fig2dev/object.h +@@ -3,7 +3,7 @@ + * Copyright (c) 1991 by Micah Beck + * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul + * Parts Copyright (c) 1989-2015 by Brian V. Smith +- * Parts Copyright (c) 2015-2019 by Thomas Loimer ++ * Parts Copyright (c) 2015-2020 by Thomas Loimer + * + * Any party obtaining a copy of these files is granted, free of charge, a + * full and unrestricted irrevocable, world-wide, paid up, royalty-free, +@@ -94,7 +94,8 @@ typedef struct f_ellipse { + #define INVALID_ELLIPSE(e) \ + e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ + COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ +- e->radiuses.x == 0 || e->radiuses.y == 0 ++ e->radiuses.x == 0 || e->radiuses.y == 0 || \ ++ e->angle < -7. || e->angle > 7. + + typedef struct f_arc { + int type; +@@ -243,7 +244,7 @@ typedef struct f_text { + t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED || \ + t->font < DEFAULT || t->font > MAX_PSFONT || \ + t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT || \ +- t->height < 0 || t->length < 0 ++ t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7. + + typedef struct f_control { + double lx, ly, rx, ry; /* used by older versions*/ +|diff --git fig2dev/tests/read.at fig2dev/tests/read.at +|index 726e6da..2d066e4 100644 +|--- fig2dev/tests/read.at +|+++ fig2dev/tests/read.at +|@@ -424,6 +424,14 @@ AT_KEYWORDS([read.c svg]) +| AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) +| AT_CLEANUP +| +|+AT_SETUP([reject out of range text angle, ticket #76]) +|+AT_CHECK([fig2dev -L pstricks < +Date: Sun, 26 Jan 2020 22:13:26 +0100 +Subject: [PATCH] Fix ticket #60. The previous commit fixed also #65, #68, #71, + #73, #75 + +--- + CHANGES | 3 ++- + fig2dev/read.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +|diff --git CHANGES CHANGES +|index f1bbbc3..4834e50 100644 +|--- CHANGES +|+++ CHANGES +|@@ -7,7 +7,8 @@ Patchlevel Xx (Xxx 20xx) +| BUGS FIXED: +| Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#. +| o Fix ticket #81. +|- o Do not allow ASCII NUL anywhere in input. Fixes ticket #80. +|+ o Do not allow ASCII NUL anywhere in input. +|+ Fixes tickets #65, #68, #71, #73, #75, #80. +| o Use getline() to improve input scanning. +| Fixes tickets #58, #59, #61, #62, #67, #78, #79. +| o Correctly scan embedded pdfs for /MediaBox value. +diff --git fig2dev/read.c fig2dev/read.c +index 86cee71..797030c 100644 +--- fig2dev/read.c ++++ fig2dev/read.c +@@ -1322,6 +1322,7 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + } + q->x = x; + q->y = y; ++ q->next = NULL; + p->next = q; + p = q; + ++c; +-- +2.16.4 + diff --git a/d70e4b.patch b/d70e4b.patch new file mode 100644 index 0000000..4afd3c6 --- /dev/null +++ b/d70e4b.patch @@ -0,0 +1,129 @@ +From d70e4ba6308046f71cb51f67db8412155af52411 Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Sun, 26 Jan 2020 13:16:52 +0100 +Subject: [PATCH] Reject ASCII NUL anywhere in the input + +The input is read in line by line, stored in a buffer and processed further +with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(), +and nowhere does the code expect NUL characters. Therefore, detect NUL while +reading the input, and exit with an error message when NUL is found anywere. +Fixes ticket #80. +--- + CHANGES | 4 ++++ + fig2dev/read.c | 21 +++++++++++++++++++-- + fig2dev/tests/data/text_w_ascii0.fig | Bin 0 -> 321 bytes + fig2dev/tests/read.at | 6 ++++++ + 4 files changed, 29 insertions(+), 2 deletions(-) + create mode 100644 fig2dev/tests/data/text_w_ascii0.fig + +|diff --git CHANGES CHANGES +|index 4a414fa..f1bbbc3 100644 +|--- CHANGES +|+++ CHANGES +|@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx) +| +| BUGS FIXED: +| Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#. +|+ o Fix ticket #81. +|+ o Do not allow ASCII NUL anywhere in input. Fixes ticket #80. +|+ o Use getline() to improve input scanning. +|+ Fixes tickets #58, #59, #61, #62, #67, #78, #79. +| o Correctly scan embedded pdfs for /MediaBox value. +| o Convert polygons having too few points to polylines. Ticket #56. +| o Reject huge arrow types causing integer overflow. Ticket #57. +diff --git fig2dev/read.c fig2dev/read.c +index e85ee10..86cee71 100644 +--- fig2dev/read.c ++++ fig2dev/read.c +@@ -178,8 +178,14 @@ read_objects(FILE *fp, F_compound *obj) + put_msg("Could not read input file."); + return -1; + } +- /* seek to the end of the first line */ +- if (strchr(buf, '\n') == NULL) { ++ ++ /* check for embedded '\0' */ ++ if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') { ++ put_msg("ASCII NUL ('\\0') character within the first line."); ++ exit(EXIT_FAILURE); ++ /* seek to the end of the first line ++ (the only place, where '\0's are tolerated) */ ++ } else if (buf[strlen(buf) - 1] != '\n') { + int c; + do + c = fgetc(fp); +@@ -1398,6 +1404,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + return s; + } + ++static void ++exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no) ++{ ++ if (strlen(line) < (size_t)chars) { ++ put_msg("ASCII NUL ('\\0') in line %d.", line_no); ++ exit(EXIT_FAILURE); ++ } ++} ++ + static char * + find_end(const char *str, int v30flag) + { +@@ -1469,6 +1484,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no) + + while ((chars = getline(line, line_len, fp)) != -1) { + ++(*line_no); ++ exit_on_ascii_NUL(*line, chars, *line_no); + end = find_end(*line, v30_flag); + if (end) { + *end = '\0'; +@@ -1640,6 +1656,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no) + if (**line == '\n' || (**line == '\r' && + chars == 2 && (*line)[1] == '\n')) + continue; ++ exit_on_ascii_NUL(*line, chars, *line_no); + /* remove newline and possibly a carriage return */ + if ((*line)[chars-1] == '\n') { + chars -= (*line)[chars - 2] == '\r' ? 2 : 1; +|diff --git fig2dev/tests/data/text_w_ascii0.fig fig2dev/tests/data/text_w_ascii0.fig +|new file mode 100644 +|index 0000000000000000000000000000000000000000..fb15b306b26a42446b809d0caf77efcfc73c588a +|GIT binary patch +|literal 321 +|zcmV-H0lxktMoC8?GcGa;Okr+hb7Ns}WeP)OZggdG3Q2BbXk~K>Ol5R*WpWBJFfcAK +|zFbY#?Zf9&|3N11UF)}bPATkOxATS^>ATl5@ATl)|F*Y+GGch1HATS^xFd!{4ATb~? +|zATkOdFeV^0ATcs9AT=O)Tp%DYATS^>US3{aUP@kGUS3`R!hplS!@pi$US3{aUS3{a +|zUS3{aUS3{aUS3{aG&LYaTrf#7d0a3sF$yCzATS^>AT=-`EioW1F(5HAATTa4ATS^? +|zH83DFFf|}BATS_7ZXjWEV`*t1dS!BNASYa0Fee~rWpZU8Ej|D)E-qniWFT{IZDk;B +|zZ*pZIbY*ySAZBlDY;SjIZf7hYcWHEJAYmY5WpZ?3X>K54ZEtmMbRchLAZ=-GX>E0F +|TAY*7@a$#e1WpZ;|FfcI+7J*tc +| +|literal 0 +|KcmV+b0RR6000031 +| +|diff --git fig2dev/tests/read.at fig2dev/tests/read.at +|index 331afb5..60982b0 100644 +|--- fig2dev/tests/read.at +|+++ fig2dev/tests/read.at +|@@ -407,6 +407,7 @@ EOF +| AT_CLEANUP +| +| AT_SETUP([allow tex font -1, ticket #81]) +|+AT_KEYWORDS([pict2e tikz]) +| AT_DATA([text.fig], [FIG_FILE_TOP +| 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 +| ]) +|@@ -416,6 +417,11 @@ AT_CHECK([fig2dev -L tikz text.fig +| ], 0, ignore) +| AT_CLEANUP +| +|+AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) +|+AT_KEYWORDS([read.c svg]) +|+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) +|+AT_CLEANUP +|+ +| AT_BANNER([Dynamically allocate picture file name.]) +| +| AT_SETUP([prepend fig file path to picture file name]) +-- +2.16.4 + diff --git a/e3cee2.patch b/e3cee2.patch new file mode 100644 index 0000000..c3f8a25 --- /dev/null +++ b/e3cee2.patch @@ -0,0 +1,33 @@ +From e3cee2576438f47a3b8678c6960472e625f8f7d7 Mon Sep 17 00:00:00 2001 +From: Thomas Loimer +Date: Mon, 27 Jan 2020 22:14:29 +0100 +Subject: [PATCH] Keep coordinates of spline controls within sane range + +This fixes the fundamental issue of ticket #65. +--- + fig2dev/read.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git fig2dev/read.c fig2dev/read.c +index 797030c..255586a 100644 +--- fig2dev/read.c ++++ fig2dev/read.c +@@ -1393,6 +1393,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + free_splinestorage(s); + return NULL; + } ++ if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX || ++ rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) { ++ /* do not care to clean up, we exit anyway ++ cp->next = NULL; ++ free_splinestorage(s); */ ++ put_msg("Spline control points out of range at line %d.", ++ *line_no); ++ exit(EXIT_FAILURE); ++ } + cq->lx = lx; cq->ly = ly; + cq->rx = rx; cq->ry = ry; + cp->next = cq; +-- +2.16.4 + diff --git a/transfig-3.2.6.dif b/transfig-3.2.6.dif index bde9ca3..5fdce95 100644 --- a/transfig-3.2.6.dif +++ b/transfig-3.2.6.dif @@ -137,3 +137,35 @@ #include "transfig.h" extern void sysmv(char *file); /* sys.c */ +--- configure ++++ configure 2020-01-24 13:08:02.103408590 +0000 +@@ -4122,7 +4122,7 @@ main () + + int dynamic_array[ni.number]; + dynamic_array[ni.number - 1] = 543; +- ++ free(ia); + // work around unused variable warnings + return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x' + || dynamic_array[ni.number - 1] != 543); +@@ -6377,8 +6377,8 @@ char *malloc (); + int + main () + { +-return ! malloc (0); +- ; ++void *tmp = malloc (0); ++if (tmp) free (tmp); return !tmp; + return 0; + } + _ACEOF +@@ -6444,7 +6444,8 @@ char *realloc (); + int + main () + { +-return ! realloc (0, 0); ++void *tmp = realloc (0, 0); ++if (tmp) free (tmp); return !tmp; + ; + return 0; + } diff --git a/transfig.changes b/transfig.changes index 2b6d3db..16c3c23 100644 --- a/transfig.changes +++ b/transfig.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink + +- Add upstream security patches/commits + * 00cded.patch + * 2f8d1a.patch + * 3165d8.patch + * 421afa.patch + * 4d4e1f.patch + * 639c36.patch + * acccc8.patch + * d6a10d.patch + * d70e4b.patch + * e3cee2.patch + ------------------------------------------------------------------- Tue Jan 21 13:08:49 UTC 2020 - Dr. Werner Fink diff --git a/transfig.spec b/transfig.spec index 29b7809..7d58f35 100644 --- a/transfig.spec +++ b/transfig.spec @@ -1,7 +1,7 @@ # # spec file for package transfig # -# Copyright (c) 2020 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -60,6 +60,16 @@ Patch4: transfig-fix-afl.patch Patch5: CVE-2019-19746.patch Patch6: c379fe.patch Patch7: CVE-2019-19797.patch +Patch8: 00cded.patch +Patch9: d70e4b.patch +Patch10: d6a10d.patch +Patch11: acccc8.patch +Patch12: e3cee2.patch +Patch13: 421afa.patch +Patch14: 2f8d1a.patch +Patch15: 4d4e1f.patch +Patch16: 3165d8.patch +Patch17: 639c36.patch Patch43: fig2dev-3.2.6-fig2mpdf.patch Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch Patch45: fig2dev-3.2.6a-RGBFILE.patch @@ -107,15 +117,26 @@ find -type f | xargs -r chmod a-x,go-w %patch5 -p0 -b .sec2 %patch6 -p0 -b .sec3 %patch7 -p0 -b .sec4 +%patch8 -p0 -b .sec5 +%patch9 -p0 -b .sec6 +%patch10 -p0 -b .sec7 +%patch11 -p0 -b .sec8 +%patch12 -p0 -b .sec9 +%patch13 -p0 -b .sec10 +%patch14 -p0 -b .sec11 +%patch15 -p0 -b .sec12 +%patch16 -p0 -b .sec13 +%patch17 -p0 -b .sec14 %patch43 -p2 -b .mpdf %patch44 -p1 -b .mpdfdoc %patch45 -p1 -b .p45 %build +ulimit -v unlimited || : CC=gcc -CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99" -CFLAGS="$CFLAGS -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" -export CC CFLAGS +CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 -fsanitize=address $(getconf LFS_CFLAGS)" +LDFLAGS="-lasan" +export CC CFLAGS LDFLAGS chmod 755 configure %configure \ --docdir=%{_defaultdocdir}/%{name} \