Accepting request 838775 from Publishing

- Add upstream security patches/commits * 100e27.patch * 3065eb.patch * ca48cc.patch - Do hardening via compile and linker flags OBS-URL: https://build.opensuse.org/request/show/838775 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=45
2020-10-03 16:55:00 +00:00 · 2020-10-03 16:55:00 +00:00 · 9fb5ccc032
commit 9fb5ccc032
parent a8c2899b22 be676d2f8e
5 changed files with 191 additions and 0 deletions
--- a/100e27.patch
+++ b/100e27.patch
@ -0,0 +1,32 @@
+From 100e2789f8106f9cc0f7e4319c4ee7bda076c3ac Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun, 16 Feb 2020 13:25:03 +0100
+Subject: [PATCH] Modify commit [3165d8]: Use tangent, not secant
+
+Use the tangent, not a secant, for short arrows on arcs.
+---
+ fig2dev/bound.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git fig2dev/bound.c fig2dev/bound.c
+index d305ab9..ea97461 100644
+--- fig2dev/bound.c
+++ fig2dev/bound.c
+@@ -1102,12 +1102,10 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
+ 	/* add this to the length */
+ 	h += lpt;
+ 
+-	/* radius too small for this method, use normal method */
+-	if (h > 2.0*r) {
+	/* secant would be too large or too small */
+	if (h > 2.0*r || h < 0.01*r) {
+ 	    arc_tangent_int(x1,y1,x2,y2,direction,x,y);
+ 	    return;
+-	} else if (h < thick) {
+-	    h = thick;
+ 	}
+ 
+ 	beta=atan2(dy,dx);
+-- 
+2.16.4
+
--- a/3065eb.patch
+++ b/3065eb.patch
@ -0,0 +1,63 @@
+From 3065ebc14bb96506429b4ebde3aeb3793c72a66d Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun, 16 Feb 2020 18:54:01 +0100
+Subject: [PATCH] Allow last line of file lacking eol char, #83, #84
+
+If the last line of a fig file does not end with a newline, the code parsing
+the input could read beyond the allocated buffer. This commit fixes the parsing
+at two locations in the code, one in string parsing, the second where sequences
+of a backslash and octal digits are converted to characters.
+---
+ fig2dev/read.c        |    6 ++++--
+ fig2dev/tests/read.at |   11 +++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- fig2dev/read.c
+++ fig2dev/read.c	2020-09-30 10:46:34.214234522 +0000
+@@ -1483,6 +1483,8 @@ read_textobject(FILE *fp, char **restric
+ 
+ 		len = strlen(start);
+ 		start[len++] = '\n';	/* put back the newline */
+		start[len] = '\0';	/* and terminate the string,
+					   in case nothing else is found */
+ 
+ 		/* allocate plenty of space */
+ 		next = malloc(len + BUFSIZ);
+@@ -1491,7 +1493,7 @@ read_textobject(FILE *fp, char **restric
+ 			free(t);
+ 			return NULL;
+ 		}
+-		memcpy(next, start, len);
+		memcpy(next, start, len + 1);
+ 
+ 		while ((chars = getline(line, line_len, fp)) != -1) {
+ 			++(*line_no);
+@@ -1525,7 +1527,7 @@ read_textobject(FILE *fp, char **restric
+ 		len = end - start;
+ 		l = len;
+ 		while (c[l] != '\0') {
+-			if (c[l] == '\\') {
+			if (c[l] == '\\' && c[l+1] != '\0') {
+ 				/* convert 3 digit octal value */
+ 				if (isdigit(c[l+1]) && c[l+2] != '\0' &&
+ 							c[l+3] != '\0') {
+--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at	2020-09-30 10:46:34.262233620 +0000
+@@ -416,6 +416,17 @@ AT_CHECK([fig2dev -L tikz text.fig
+ ], 0, ignore)
+ AT_CLEANUP
+ 
+AT_SETUP([allow files end without eol, tickets #83, #84])
+AT_KEYWORDS([read.c])
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
+4 0 0 50 0 -1 12 0 0 150 405 0 0 No end-of-line here -->"]) | \
+	fig2dev -L box], 0, ignore)
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
+4 0 0 50 0 -1 12 0 0 150 405 0 0 Start string
+No end-of-line after one backslash --> \\"]) | \
+	fig2dev -L box], 0, ignore)
+AT_CLEANUP
+
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
--- a/ca48cc.patch
+++ b/ca48cc.patch
@ -0,0 +1,35 @@
+From ca48ccc90bd3e7801a63cf9a541f292b28ed1260 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Mon, 17 Feb 2020 12:18:12 +0100
+Subject: [PATCH] Amend previous commit - avoid buffer overflow
+
+Regards to Dr. Werner Fink, see discussion to ticket #83.
+---
+ fig2dev/read.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git fig2dev/read.c fig2dev/read.c
+index 0bdcd3d..d1ae463 100644
+--- fig2dev/read.c
+++ fig2dev/read.c
+@@ -1489,8 +1489,6 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 
+ 		len = strlen(start);
+ 		start[len++] = '\n';	/* put back the newline */
+-		start[len] = '\0';	/* and terminate the string,
+-					   in case nothing else is found */
+ 
+ 		/* allocate plenty of space */
+ 		next = malloc(len + BUFSIZ);
+@@ -1500,6 +1498,8 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 			return NULL;
+ 		}
+ 		memcpy(next, start, len + 1);
+		next[len] = '\0';	/* terminate the initial string,
+					   in case nothing else is found */
+ 
+ 		while ((chars = getline(line, line_len, fp)) != -1) {
+ 			++(*line_no);
+-- 
+2.16.4
+
--- a/transfig.changes
+++ b/transfig.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed Sep 30 10:48:31 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Add upstream security patches/commits
+  * 100e27.patch
+  * 3065eb.patch
+  * ca48cc.patch
+
+-------------------------------------------------------------------
+Tue Sep 29 09:24:16 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Do hardening via compile and linker flags 
+
 -------------------------------------------------------------------
 Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>

--- a/transfig.spec
+++ b/transfig.spec
@ -70,6 +70,9 @@ Patch14:        2f8d1a.patch
 Patch15:        4d4e1f.patch
 Patch16:        3165d8.patch
 Patch17:        639c36.patch
+Patch18:        100e27.patch
+Patch19:        3065eb.patch
+Patch20:        ca48cc.patch
 Patch43:        fig2dev-3.2.6-fig2mpdf.patch
 Patch44:        fig2dev-3.2.6-fig2mpdf-doc.patch
 Patch45:        fig2dev-3.2.6a-RGBFILE.patch
@ -127,14 +130,59 @@ find -type f | xargs -r chmod a-x,go-w
 %patch15 -p0 -b .sec12
 %patch16 -p0 -b .sec13
 %patch17 -p0 -b .sec14
+%patch18 -p0 -b .sec15
+%patch19 -p0 -b .sec16
+%patch20 -p0 -b .sec17
 %patch43 -p2 -b .mpdf
 %patch44 -p1 -b .mpdfdoc
 %patch45 -p1 -b .p45

 %build
 ulimit -v unlimited || :
+  #
+  # Used for detection of hardening options of gcc and linker
+  #
+  cflags ()
+  {
+      local flag=$1; shift
+      local var=$1; shift
+      test -n "${flag}" -a -n "${var}" || return
+      case "${!var}" in
+      *${flag}*) return
+      esac
+      case "$flag" in
+      -Wl,*)
+	   set -o noclobber
+	   echo 'int main () { return 0; }' > ldtest.c
+	   if ${CC:-gcc} -Werror $flag -o /dev/null -xc ldtest.c > /dev/null 2>&1 ; then
+	       eval $var=\${$var:+\$$var\ }$flag
+	   fi
+	   set +o noclobber
+	   rm -f ldtest.c
+	   ;;
+      *)
+	   if ${CC:-gcc} -Werror $flag -S -o /dev/null -xc /dev/null > /dev/null 2>&1 ; then
+	       eval $var=\${$var:+\$$var\ }$flag
+	   fi
+	   if ${CXX:-g++} -Werror $flag -S -o /dev/null -xc++ /dev/null > /dev/null 2>&1 ; then
+	       eval $var=\${$var:+\$$var\ }$flag
+	   fi
+      esac
+  }
+
 CC=gcc
 CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 $(getconf LFS_CFLAGS)"
+cflags -D_FORTIFY_SOURCE=2       CFLAGS
+cflags -fstack-protector         CFLAGS
+cflags -fstack-protector-strong  CFLAGS
+cflags -fstack-protector-all     CFLAGS
+cflags -Wformat                  CFLAGS
+cflags -Wformat-security         CFLAGS
+cflags -Werror=format-security   CFLAGS
+cflags -fPIE                     CFLAGS
+cflags -pie                      LDFLAGS
+cflags -Wl,-z,relro              LDFLAGS
+cflags -Wl,-z,now                LDFLAGS
 export CC CFLAGS LDFLAGS
 chmod 755 configure
 %configure \