Accepting request 754322 from Publishing

- Add patch CVE-2019-19555.patch
  * Even if we are not affected add fix for CVE-2019-19555

OBS-URL: https://build.opensuse.org/request/show/754322
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=42

CVE-2019-19555.patch

@@ -0,0 +1,50 @@
+Based on 19db5fe6f77ebad91af4b4ef0defd61bd0bb358f Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 4 Dec 2019 17:56:04 +0100
+Subject: [PATCH] Allow fig 2 text ending with multiple ^A, ticket #55
+
+---
+ fig2dev/read.c        |    4 ++--
+ fig2dev/tests/read.at |   11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- fig2dev/read.c
++++ fig2dev/read.c	2019-12-05 08:48:27.630190316 +0000
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2018 by Thomas Loimer
++ * Parts Copyright (c) 2015-2019 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -1328,7 +1328,7 @@ read_textobject(FILE *fp)
+ 		If we do not find the CONTROL-A on this line then this must
+ 		be a multi-line text object and we will have to read more. */
+ 
+-	    n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%[\1]",
++	    n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%1[\1]",
+ 		&t->type, &t->font, &t->size, &t->pen,
+ 		&t->color, &t->depth, &t->angle,
+ 		&t->flags, &t->height, &t->length,
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at	2019-12-05 08:48:27.634190239 +0000
+@@ -359,6 +359,17 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([allow text ending with multiple ^A, ticket #55])
++AT_KEYWORDS([read.c])
++AT_CHECK([fig2dev -L box <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 390 306 110 376 639 5 Text


++EOF
++], 1, ignore, [Invalid text object at line 2.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])

transfig.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Dec  5 08:49:13 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch CVE-2019-19555.patch
+  * Even if we are not affected add fix for CVE-2019-19555 
+
 -------------------------------------------------------------------
 Tue Oct 29 11:07:12 UTC 2019 - Dr. Werner Fink <werner@suse.de>
 

transfig.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package transfig
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -38,7 +38,7 @@ BuildRequires:  tex(xmpmulti.sty)
 BuildRequires:  libpng-devel
 BuildRequires:  pkgconfig(xpm)
 #  www.xfig.org is dead
-Url:            http://mcj.sourceforge.net/
+URL:            http://mcj.sourceforge.net/
 Provides:       fig2dev
 Provides:       transfig.3.2.3d
 Requires:       ghostscript-fonts-std
@@ -53,6 +53,7 @@ License:        MIT
 Group:          Productivity/Graphics/Convertors
 Source:         fig2dev-%{version}.tar.xz
 Patch0:         transfig-3.2.6.dif
+Patch1:         CVE-2019-19555.patch
 Patch2:         transfig.3.2.5-binderman.dif
 Patch3:         transfig.3.2.5d-mediaboxrealnb.dif
 Patch4:         transfig-fix-afl.patch
@@ -96,6 +97,7 @@ Authors:
 %setup -q -n fig2dev-%{version}
 find -type f | xargs -r chmod a-x,go-w
 %patch0 -p0 -b .0
+%patch1 -p0 -b .sec
 %patch2 -p0 -b .bm
 %patch3 -p0 -b .mbox
 %patch4 -p1 -b .afl