Accepting request 1277988 from Publishing

- Work around bug in obs service

- Add patches in order of our bug numbers (differs to upstream)
  * 192.patch -- Bug boo#1243260 (CVE-2025-46397)
    fig2dev stack-overflow
  * 187.patch -- Bug boo#1243261 (CVE-2025-46400)
    fig2dev segmentation fault in read_arcobject
  * 191.patch -- Bug boo#1243262 (CVE-2025-46398)
    fig2dev stack-overflow via read_objects
  * 190.patch -- Bug boo#1243263 (CVE-2025-46399)
    fig2dev segmentation fault in genge_itp_spline

    ____________________________________________________________

OBS-URL: https://build.opensuse.org/request/show/1277988
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/transfig?expand=0&rev=62

0001-Use-native-fig2dev-pdf-output-instead-of-epstopdf.patch

@@ -12,7 +12,7 @@ diff --git a/fig2dev/dev/genpstex.c b/fig2dev/dev/genpstex.c
 index bb081fd..5999e03 100644
 --- a/fig2dev/dev/genpstex.c
 +++ b/fig2dev/dev/genpstex.c
-@@ -279,10 +279,7 @@ int depth;
+@@ -280,10 +280,7 @@ int depth;
  	sprintf(szFileName + iLength, "%03d", iObjectsFileNumber++);
  	fprintf(ptCreateFile, "if [ \"$iOptRemove\" == \"\" ]; then\n");
  	if (iPdfOutputs)

184.patch

@@ -0,0 +1,58 @@
+From ff9aba206a30288f456dfc91584a52ba9927b438 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 21 Jan 2025 20:50:15 +0100
+Subject: [PATCH] Allow an arc-box with zero radius, ticket #184
+
+In the pict2e output, a rectangle with rounded corners,
+dashed line type and zero corner-radius would cause a crash.
+Convert rectangles with rounded corners and zero corner-radius to
+regular rectangles.
+---
+ fig2dev/read.c        |  8 ++++++++
+ fig2dev/tests/read.at | 11 +++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git fig2dev/read.c fig2dev/read.c
+index 387527b..f643f7e 100644
+--- fig2dev/read.c
++++ fig2dev/read.c
+@@ -1037,6 +1037,14 @@ sanitize_lineobject(F_line *l, int line_no)
+ 							line_no);
+ 					return -1;
+ 				}
++				if (l->type == T_ARC_BOX && l->radius == 0) {
++					put_msg("A %s, but zero corner radius "
++							"at line %d - convert "
++							"to a rectangle.",
++							obj_name[l->type - 2],
++							line_no);
++					l->type = T_BOX;
++				}
+ 			}
+ 
+ 		} else { /* T_BOX || T_POLYGON */
+diff --git fig2dev/tests/read.at fig2dev/tests/read.at
+index 588424d..1b4baea 100644
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at
+@@ -123,6 +123,17 @@ A rectangle with 3 corners at line 11 - convert to a polygon.
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert an arc-box with zero radius to a box])
++AT_KEYWORDS(read.c arc-box)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5
++	0 0 300 0 300 300 0 300 0 0
++EOF
++],0,ignore,[A rectangle with rounded corners, but zero corner radius at line 11 - convert to a rectangle.
++])
++AT_CLEANUP
++
+ AT_SETUP([fail on a malformed arc-box])
+ AT_KEYWORDS(read.c malformed arc-box)
+ AT_CHECK([fig2dev -L pict2e <<EOF
+-- 
+2.35.3
+

185.patch

@@ -0,0 +1,33 @@
+From da8992f44b84a337b4edaa67fc8b36b55eaef696 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 22 Jan 2025 23:18:54 +0100
+Subject: [PATCH] Reject huge pattern lengths, ticket #185
+
+Reject patterned lines, e.g., dashed lines, where the
+pattern length exceeds 80 inches.
+---
+ fig2dev/object.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git fig2dev/object.h fig2dev/object.h
+index 29f5a62..7f83939 100644
+--- fig2dev/object.h
++++ fig2dev/object.h
+@@ -57,12 +57,13 @@ typedef struct f_comment {
+ 	struct f_comment	*next;
+ } F_comment;
+ 
++#define	STYLE_VAL_MAX	6400.0	/* dash length 80 inches, that is enough */
+ #define COMMON_PROPERTIES(o)						\
+ 	o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE ||		\
+ 	o->thickness < 0 || o->depth < 0 || o->depth > 999 ||		\
+ 	o->fill_style < UNFILLED ||					\
+ 	o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
+-	o->style_val < 0.0
++	o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX
+ 
+ typedef struct f_ellipse {
+ 	int			type;
+-- 
+2.35.3
+

186.patch

@@ -0,0 +1,91 @@
+From c8a87d22036e62bac0c6f7836078d8103caa6457 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 22 Jan 2025 23:27:43 +0100
+Subject: [PATCH] Reject arcs with co-incident points, ticket #186
+
+---
+ fig2dev/object.h      |   16 ++++++++++------
+ fig2dev/tests/read.at |   14 ++++++++++++--
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+--- fig2dev/object.h
++++ fig2dev/object.h	2025-04-29 11:58:54.335653487 +0000
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2023 by Thomas Loimer
++ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -92,10 +92,10 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
+-#define INVALID_ELLIPSE(e)	\
++#define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+-	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
++	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
+ 	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+@@ -122,12 +122,16 @@ typedef struct f_arc {
+ 	struct f_arc		*next;
+ } F_arc;
+ 
+-#define INVALID_ARC(a)	\
++#define COINCIDENT(a, b)	(a.x == b.x && a.y == b.y)
++#define INVALID_ARC(a)							\
+ 	a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC ||		\
+ 	COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 ||	\
+ 	a->center.x < COORD_MIN || a->center.x > COORD_MAX ||		\
+ 	a->center.y < COORD_MIN || a->center.y > COORD_MAX ||		\
+-	(a->direction != 0 && a->direction != 1)
++	(a->direction != 0 && a->direction != 1) ||			\
++	COINCIDENT(a->point[0], a->point[1]) ||				\
++	COINCIDENT(a->point[0], a->point[2]) ||				\
++	COINCIDENT(a->point[1], a->point[2])
+ 
+ typedef struct f_line {
+ 	int			type;
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at	2025-04-29 11:58:54.335653487 +0000
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2024 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2025 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -14,7 +14,7 @@ dnl party to do so, with the only requir
+ dnl and this permission notice remain intact.
+ 
+ dnl read.at
+-dnl Author: Thomas Loimer, 2017-2024
++dnl Author: Thomas Loimer, 2017-2025
+ 
+ 
+ AT_BANNER([Sanitize and harden input.])
+@@ -246,6 +246,16 @@ FIG_FILE_TOP
+ EOF
+ ], 1, ignore, [Invalid arc object at line 10.
+ ])
++AT_CLEANUP
++
++AT_SETUP([reject arcs with coincident points, ticket #186])
++AT_KEYWORDS(read.c arc)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0
++EOF
++], 1, ignore, [Invalid arc object at line 10.
++])
+ AT_CLEANUP
+ 
+ AT_SETUP([survive debian bugs #881143, #881144])

187.patch

@@ -0,0 +1,179 @@
+commit 1e5515a1ea2ec8651cf85ab5000d026bb962492a
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date:   Thu Jan 23 21:08:43 2025 +0100
+
+    pict2e: deal with arcs with an radius of 1, #187
+    
+    The pict2e driver resolves patterned arcs to a series of line segments.
+    The line is constructed from a spline approximating a circle.
+    For an arc radius of about 1, no line remains. Ignore such small arcs.
+
+diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c
+index 423032c..b55bf38 100644
+--- fig2dev/dev/genpict2e.c
++++ fig2dev/dev/genpict2e.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2023 by Thomas Loimer
++ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -19,7 +19,7 @@
+ /*
+  * genpict2e.c: convert fig to pict2e macro language for LaTeX
+  *
+- * Author: Thomas Loimer, 2014-2023
++ * Author: Thomas Loimer, 2014-2025
+  * Based on the latex picture driver, genlatex.c
+  *
+  */
+@@ -2277,8 +2277,13 @@ put_patternarc(
+ 	l->join_style = MITERJOIN;
+ 
+ 	p = l->points;
+-	if (p == NULL)
++	for (i = 0; i < 8 && p != NULL; ++i)
++		p = p->next;
++	/* If the radius is about 1, the spline may consist of
++	   a few points only. */
++	if (i < 7)
+ 		return;
++	p = l->points;
+ 
+ 	/*
+ 	 * Walk along the spline, until the arc angle is covered.
+@@ -2428,7 +2433,7 @@ genpict2e_arc(F_arc *a)
+ 	rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y)
+ 			+ sqrt((double)d2x*d2x + (double)d2y*d2y));
+ 	rad = round(rad*10.0) / 10.0;
+-	/* how precise must the angle be given? 
++	/* how precise must the angle be given?
+ 	   1/rad is the view angle of one pixel */
+ 	da = 180.0 / M_PI / rad;
+ 	preca = 0;
+commit c4465e0d9af89d9738aad31c2d0873ac1fa03c96
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date:   Sat Jan 25 21:06:59 2025 +0100
+
+    Reject arcs with an radius smaller than 3, #187
+    
+    This also reverts the previous commit, 1e5515. An arc with too
+    small radius caused a crash in pict2e output. Instead of dealing
+    with such arcs in the pict2e driver, reject them already when
+    reading.
+
+diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c
+index b55bf38..423032c 100644
+--- fig2dev/dev/genpict2e.c
++++ fig2dev/dev/genpict2e.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2025 by Thomas Loimer
++ * Parts Copyright (c) 2015-2023 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -19,7 +19,7 @@
+ /*
+  * genpict2e.c: convert fig to pict2e macro language for LaTeX
+  *
+- * Author: Thomas Loimer, 2014-2025
++ * Author: Thomas Loimer, 2014-2023
+  * Based on the latex picture driver, genlatex.c
+  *
+  */
+@@ -2277,13 +2277,8 @@ put_patternarc(
+ 	l->join_style = MITERJOIN;
+ 
+ 	p = l->points;
+-	for (i = 0; i < 8 && p != NULL; ++i)
+-		p = p->next;
+-	/* If the radius is about 1, the spline may consist of
+-	   a few points only. */
+-	if (i < 7)
++	if (p == NULL)
+ 		return;
+-	p = l->points;
+ 
+ 	/*
+ 	 * Walk along the spline, until the arc angle is covered.
+@@ -2433,7 +2428,7 @@ genpict2e_arc(F_arc *a)
+ 	rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y)
+ 			+ sqrt((double)d2x*d2x + (double)d2y*d2y));
+ 	rad = round(rad*10.0) / 10.0;
+-	/* how precise must the angle be given?
++	/* how precise must the angle be given? 
+ 	   1/rad is the view angle of one pixel */
+ 	da = 180.0 / M_PI / rad;
+ 	preca = 0;
+diff --git fig2dev/object.h fig2dev/object.h
+index 50afbf0..178d629 100644
+--- fig2dev/object.h
++++ fig2dev/object.h
+@@ -92,11 +92,14 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
++#define RADIUS2_MIN	9
+ #define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
+ 	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
++	e->radiuses.x + e->radiuses.y < RADIUS2_MIN ||			\
+ 	e->angle < -7. || e->angle > 7.
++	/* radiuses are set to positive in read.c */
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -131,7 +134,10 @@ typedef struct f_arc {
+ 	(a->direction != 0 && a->direction != 1) ||			\
+ 	COINCIDENT(a->point[0], a->point[1]) ||				\
+ 	COINCIDENT(a->point[0], a->point[2]) ||				\
+-	COINCIDENT(a->point[1], a->point[2])
++	COINCIDENT(a->point[1], a->point[2]) ||				\
++	(a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) +	\
++	(a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) <	\
++	RADIUS2_MIN
+ 
+ typedef struct f_line {
+ 	int			type;
+diff --git fig2dev/read1_3.c fig2dev/read1_3.c
+index 8a1a89a..1605498 100644
+--- fig2dev/read1_3.c
++++ fig2dev/read1_3.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2022 by Thomas Loimer
++ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -156,8 +156,10 @@ read_arcobject(FILE *fp)
+ 	a->pen_color = a->fill_color = BLACK_COLOR;
+ 	a->depth = 0;
+ 	a->pen = 0;
++	a->fill_style = 0;
+ 	a->for_arrow = NULL;
+ 	a->back_arrow = NULL;
++	a->cap_style = 0;
+ 	a->comments = NULL;
+ 	a->next = NULL;
+ 	n = fscanf(fp,
+@@ -328,6 +330,10 @@ read_ellipseobject(FILE *fp)
+ 		e->type = T_CIRCLE_BY_RAD;
+ 	else
+ 		e->type = T_CIRCLE_BY_DIA;
++	if (e->radiuses.x < 0)
++		e->radiuses.x *= -1;
++	if (e->radiuses.y < 0)
++		e->radiuses.y *= -1;
+ 	if (INVALID_ELLIPSE(e)) {
+ 		put_msg(Err_invalid, "ellipse");
+ 		free(e);

190.patch

@@ -0,0 +1,29 @@
+commit 2bd6c0b210916d0d3ca81f304535b5af0849aa93
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date:   Tue Apr 8 22:45:57 2025 +0200
+
+    ge output: correct spline computation, ticket #190
+
+---
+ fig2dev/dev/genge.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- fig2dev/dev/genge.c
++++ fig2dev/dev/genge.c	2025-05-16 08:15:58.678040763 +0000
+@@ -229,8 +229,6 @@ genge_itp_spline(F_spline *s)
+ 	int		 xmin, ymin;
+ 
+ 	a = s->controls;
+-
+-	a = s->controls;
+ 	p = s->points;
+ 	/* go through the points to find the last two */
+ 	for (q = p->next; q != NULL; p = q, q = q->next) {
+@@ -238,6 +236,7 @@ genge_itp_spline(F_spline *s)
+ 	    a = b;
+ 	}
+ 
++	a = s->controls;
+ 	p = s->points;
+ 	fprintf(tfp, "n %d %d m\n", p->x, p->y);
+ 	xmin = 999999;

191.patch

@@ -0,0 +1,29 @@
+commit 5f22009dba73922e98d49c0096cece8b215cd45b
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date:   Tue Apr 8 21:34:23 2025 +0200
+
+    Permit \0 in the second line in the fig file, #191
+
+diff --git fig2dev/read.c fig2dev/read.c
+index 0ec958d..2ea18ef 100644
+--- fig2dev/read.c
++++ fig2dev/read.c
+@@ -190,7 +190,8 @@ read_objects(FILE *fp, F_compound *obj)
+ 	}
+ 
+ 	/* check for embedded '\0' */
+-	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++	if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 &&
++			buf[strlen(buf) - 1] != '\n')) {
+ 		put_msg("ASCII NUL ('\\0') character within the first line.");
+ 		exit(EXIT_FAILURE);
+ 	/* seek to the end of the first line
+@@ -239,7 +240,7 @@ read_objects(FILE *fp, F_compound *obj)
+ 		   the encoding given in the file */
+ 		if (!input_encoding && !strcmp(buf, "encoding: UTF-8\n")) {
+ 			input_encoding = "UTF-8";
+-		} else if (buf[strlen(buf) - 1] != '\n') {
++		} else if (*buf == '\0' || buf[strlen(buf) - 1] != '\n') {
+ 			/* seek forward to the end of the line;
+ 			   comments here are not mentioned by the
+ 			   specification, thus ignore this comment */

192.patch

@@ -0,0 +1,65 @@
+commit dfa8b661b506a463a669754ed635b0a8eb67580e
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date:   Thu Apr 10 09:03:30 2025 +0200
+
+    Detect nan in spline control values, ticket #192
+
+---
+ fig2dev/read.c        |   17 +++++++++++------
+ fig2dev/tests/read.at |   19 +++++++++++++++++++
+ 2 files changed, 30 insertions(+), 6 deletions(-)
+
+--- fig2dev/read.c
++++ fig2dev/read.c	2025-05-16 08:04:13.646999235 +0000
+@@ -1581,12 +1581,17 @@ read_splineobject(FILE *fp, char **restr
+ 			free_splinestorage(s);
+ 			return NULL;
+ 		}
+-		if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN ||
+-				ly > INT_MAX || rx < INT_MIN || rx > INT_MAX ||
+-				ry < INT_MIN || ry > INT_MAX) {
+-			/* do not care to clean up, we exit anyway
+-			   cp->next = NULL;
+-			   free_splinestorage(s);	*/
++		if (		!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
++				!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
++				!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
++				!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
++		{
++
++                    	/* clean up, to pass test "reject huge spline controls
++			   values" when -fsanitize=address is enabled */
++			cp->next = NULL;
++			free_splinestorage(s);
++			free(cq);
+ 			put_msg("Spline control points out of range "
+ 					"at line %d.", *line_no);
+ 			exit(EXIT_FAILURE);
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at	2025-05-16 08:07:33.111333617 +0000
+@@ -608,6 +608,25 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject nan in spline controls values, #192])
++AT_KEYWORDS([read.c])
++# Use an output language that does not natively support Bezier splines.
++# Otherwise, the huge values are simply copied to the output.
++AT_CHECK([fig2dev -L epic <<EOF
++#FIG 3.1
++Landscape
++Center
++Metric
++1200 2
++3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
++	0 0 1200 0
++	600 600 600 nan
++	600 600 600 600
++EOF
++], 1, ignore, [Spline control points out of range at line 8.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])

fig2dev-3.2.6-fig2mpdf.patch

@@ -400,7 +400,7 @@ diff --git a/fig2dev/drivers.h b/fig2dev/drivers.h
 diff --git a/fig2dev/fig2dev.c b/fig2dev/fig2dev.c
 --- a/fig2dev/fig2dev.c
 +++ b/fig2dev/fig2dev.c
-@@ -829,6 +829,23 @@ help_msg(void)
+@@ -858,6 +858,23 @@ help_msg(void)
  			);
  		}
  
@@ -424,7 +424,7 @@ diff --git a/fig2dev/fig2dev.c b/fig2dev/fig2dev.c
  		if (dev == NULL || !strcmp(lang, "shape")) {
  			puts(
  "SHAPE (ShapePar driver) Options:\n"
-@@ -974,6 +991,12 @@ static int compound_dump(F_compound *com
+@@ -1003,6 +1020,12 @@ static int compound_dump(F_compound *com
  static int
  rec_comp(struct obj_rec *r1, struct obj_rec *r2)
  {
@@ -1338,7 +1338,7 @@ diff --git a/fig2mpdf/fig2mpdf b/fig2mpdf/fig2mpdf
 diff --git a/man/fig2dev.1.in b/man/fig2dev.1.in
 --- a/man/fig2dev.1.in
 +++ b/man/fig2dev.1.in
-@@ -75,8 +75,8 @@ Set the output graphics language.
+@@ -80,8 +80,8 @@ Set the output graphics language.
  Valid languages are
  \fBbox, cgm, dxf, epic, eepic, eepicemu, emf, eps, gbx (Gerber beta
  driver), gif, ibmgl, jpeg, latex, map (HTML image map), mf (MetaFont),
@@ -1349,7 +1349,7 @@ diff --git a/man/fig2dev.1.in b/man/fig2dev.1.in
  shape (LaTeX shaped paragraphs), sld (AutoCad slide format), svg,
  textyl, tiff, tikz, tk (tcl/tk), tpic, xbm and xpm\fR.
  
-@@ -1145,6 +1145,61 @@ text flagged as "TeX Text".
+@@ -1152,6 +1152,61 @@ text flagged as "TeX Text".
  The pstex and pdftex drivers accept the same options that the EPS driver
  accepts.
  
@@ -1411,7 +1411,7 @@ diff --git a/man/fig2dev.1.in b/man/fig2dev.1.in
  .TP
  .B \-n name
  Set the Title part of the PostScript output to
-@@ -1551,6 +1606,12 @@ The string \fIfont\fR can be one of
+@@ -1558,6 +1613,12 @@ The string \fIfont\fR can be one of
  
  
  .SH BUGS and RESTRICTIONS
@@ -1424,7 +1424,7 @@ diff --git a/man/fig2dev.1.in b/man/fig2dev.1.in
  Please send bug reports, fixes, new features etc. to:
  .br
  \&@PACKAGE_BUGREPORT@
-@@ -1640,3 +1701,7 @@ Michael Schrick (m_schrick@hotmail.com)
+@@ -1647,3 +1708,7 @@ Michael Schrick (m_schrick@hotmail.com)
  The GBX (Gerber) driver was written by
  .br
  Edward Grace (ej.grace@imperial.ac.uk).

fig2dev-3.2.9.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:15e246c8d13cc72de25e08314038ad50ce7d2defa9cf1afc172fd7f5932090b1
-size 529892

transfig-3.2.9.dif

@@ -7,7 +7,7 @@
 
 --- configure
 +++ configure	2023-09-15 07:11:23.442594968 +0000
-@@ -2340,7 +2340,7 @@ ac_c_conftest_c99_main='
+@@ -2359,7 +2359,7 @@ ac_c_conftest_c99_main='
    int dynamic_array[ni.number];
    dynamic_array[0] = argv[0][0];
    dynamic_array[ni.number - 1] = 543;
@@ -26,7 +26,7 @@
  
  #include "fig2dev.h"	/* includes bool.h and object.h */
  //#include "object.h"	/* NUMSHADES, NUMTINTS */
-@@ -1363,10 +1364,10 @@ append(const char *restrict infilename,
+@@ -1366,10 +1367,10 @@ append(const char *restrict infilename,
  static bool
  append_find_composite(FILE *restrict out)
  {
@@ -40,7 +40,7 @@
  
  	libdir = getenv("FIG2DEV_LIBDIR");
  #ifdef I18N_DATADIR
-@@ -1378,18 +1379,28 @@ append_find_composite(FILE *restrict out
+@@ -1381,18 +1382,28 @@ append_find_composite(FILE *restrict out
  		fputs(COMPOSITE_ERRMSG, stderr);
  		return false;
  	}
@@ -76,7 +76,7 @@
  		return false;
  	}
  
-@@ -1443,8 +1454,7 @@ append_find_composite(FILE *restrict out
+@@ -1446,8 +1457,7 @@ append_find_composite(FILE *restrict out
  		put_msg("The output might be broken.");
  	}
  

transfig-gs10.03.patch

@@ -4,11 +4,11 @@
 
 --- fig2dev/dev/genpdf.c
 +++ fig2dev/dev/genpdf.c	2024-09-12 11:42:17.585579884 +0000
-@@ -48,6 +48,7 @@
+@@ -49,6 +49,7 @@
   */
  #ifdef GSEXE
  #define	GSFMT	GSEXE " -q -dSAFER -dAutoRotatePages=/None -sDEVICE=pdfwrite " \
 +		"-dWriteXRefStm=false -dWriteObjStms=false " \
- 		"-dCompatibilityLevel=1.4 -dPDFSETTINGS=/prepress -o '%s' -"
+ 		"-dCompatibilityLevel=1.%d -dPDFSETTINGS=/prepress -o '%s' -"
  #else
  #define GSFMT	""

transfig.changes

@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Fri May 16 09:32:21 UTC 2025 - Dr. Werner Fink <werner@suse.de>
+
+- Work around bug in obs service
+
+-------------------------------------------------------------------
+Fri May 16 08:18:32 UTC 2025 - Dr. Werner Fink <werner@suse.de>
+
+- Add patches in order of our bug numbers (differs to upstream)
+  * 192.patch -- Bug boo#1243260 (CVE-2025-46397)
+    fig2dev stack-overflow
+  * 187.patch -- Bug boo#1243261 (CVE-2025-46400)
+    fig2dev segmentation fault in read_arcobject
+  * 191.patch -- Bug boo#1243262 (CVE-2025-46398)
+    fig2dev stack-overflow via read_objects
+  * 190.patch -- Bug boo#1243263 (CVE-2025-46399)
+    fig2dev segmentation fault in genge_itp_spline
+
+-------------------------------------------------------------------
+Tue Apr 29 12:01:57 UTC 2025 - Dr. Werner Fink <werner@suse.de>
+
+- Add patches
+  * 184.patch -- Bug boo#1240379 (CVE-2025-31164)
+    heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker
+    to availability via local input manipulation via  create_line_with_spline
+  * 185.patch -- Bug boo#1240380 (CVE-2025-31162)
+    Floating point exception in fig2dev in version 3.2.9a allows an attacker
+    to availability via local input manipulation via get_slope function
+  * 186.patch -- Bug boo#1240381 (CVE-2025-31163)
+    Segmentation fault in fig2dev in version 3.2.9a allows an attacker to
+    availability via local input manipulation via put_patternarc function
+
+-------------------------------------------------------------------
+Tue Jan 14 08:47:58 UTC 2025 - Dr. Werner Fink <werner@suse.de>
+
+- Update to fig2dev version 3.2.9a (Dec 2024)
+  o Specify pdf minor version with option -Y.
+  o Specify width (-Z <wid>w) or height (-Z <height>h) of figure.
+  o Correctly read from a pipe, ticket #156.
+  o Fix behavior of option -F for e(e)pic and latex outputs, ticket #157.
+  o Compounds containing ascii-only text would disable utf-8 output, #158.
+  o Option --enable-versioning works in out-of-tree builds.
+  o Correct links to embedded image files in svg output.
+  o Correct font size in svg output, ticket #176.
+- Port patches
+  * 0001-Use-native-fig2dev-pdf-output-instead-of-epstopdf.patch
+  * fig2dev-3.2.6-fig2mpdf.patch
+  * transfig-3.2.9.dif
+  * transfig-gs10.03.patch
+
 -------------------------------------------------------------------
 Thu Sep 12 12:00:53 UTC 2024 - Dr. Werner Fink <werner@suse.de>
 
@@ -312,7 +362,7 @@ Mon May  7 10:28:07 UTC 2018 - werner@suse.de
 
 - Update to fig2dev version 3.2.7a (Patchlevel 7a (April 2018))
   o  Language         previous option         current option
-    ------------------------------------------------------------
+    ____________________________________________________________
      cgm              -b dummy                -a
      epic             -A scale                -d scale
      eepic            -A scale                -d scale
@@ -886,12 +936,10 @@ Wed Oct 18 15:58:04 CEST 2000 - werner@suse.de
 
 - Avoid epsfig style, use normal graphics style (bug# 4168)
 
--------------------------------------------------------------------
 Fri Sep 15 17:01:53 CEST 2000 - werner
 
 - Update to 3.2.3c to fit xfig version
 
--------------------------------------------------------------------
 Wed May 31 16:26:42 CEST 2000 - werner
 
 - Use %{_defaultdocdir}
@@ -928,17 +976,17 @@ Thu Sep 17 18:15:53 MEST 1998 - ro@suse.de
 
 - dont redeclare sys_errlist for glibc
 
-----------------------------------------------------------------------------
+-------------------------------------------------------------------
 Fri Oct 10 15:32:09 MEST 1997 - florian@suse.de
 
 - update to version 3.2
 
-----------------------------------------------------------------------------
+-------------------------------------------------------------------
 Wed Oct  8 16:06:02 CEST 1997 - ro@suse.de
 
 - Prepared package for automatic build
 
-----------------------------------------------------------------------------
+-------------------------------------------------------------------
 Tue May 27 20:03:59 MEST 1997 - florian@suse.de
 
 

transfig.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package transfig
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,18 +17,25 @@
 
 
 Name:           transfig
-Version:        3.2.9
+Version:        3.2.9a
 Release:        0
 Summary:        Graphic Converter
 #  www.xfig.org is dead
 URL:            https://mcj.sourceforge.net/
 License:        MIT
 Group:          Productivity/Graphics/Convertors
-#Source:        http://sourceforge.net/projects/mcj/files/fig2dev-%%{version}.tar.xz/download#/fig2dev-%%{version}.tar.xz
+#Source:        https://sourceforge.net/projects/mcj/files/fig2dev-%%{version}.tar.xz/download#/fig2dev-%%{version}.tar.xz
 Source:         fig2dev-%{version}.tar.xz
 Patch0:         transfig-3.2.9.dif
 Patch1:         transfig-gs10.03.patch
 Patch4:         transfig-fix-afl.patch
+Patch20:        184.patch
+Patch21:        185.patch
+Patch22:        186.patch
+Patch23:        192.patch
+Patch24:        187.patch
+Patch25:        191.patch
+Patch26:        190.patch
 Patch43:        fig2dev-3.2.6-fig2mpdf.patch
 Patch44:        fig2dev-3.2.6-fig2mpdf-doc.patch
 Patch45:        transfig-gcc14.patch
@@ -72,6 +79,13 @@ find -type f -exec chmod a-x,go-w '{}' \;
 %patch -P 0 -p0 -b .p0
 %patch -P 1 -p0 -b .p1
 %patch -P 4 -p1 -b .afl
+%patch -P 20 -p0
+%patch -P 21 -p0
+%patch -P 22 -p0
+%patch -P 23 -p0
+%patch -P 24 -p0
+%patch -P 25 -p0
+%patch -P 26 -p0
 %patch -P 43 -p1 -b .mpdf
 %patch -P 44 -p1 -b .mpdfdoc
 %patch -P 45 -p0 -b .gcc14