Bug#946185: stretch-pu: package fig2dev/1:3.2.6a-2+deb9u3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
This fixes CVE-2019-19555 in stretch. Since this is tagged
"unimportant" by the security team on
https://security-tracker.debian.org/tracker/CVE-2019-19555 they won't
publish a DSA, so I tend to send this into the next point release of
buster.
Attached you'll find the diff against 3.2.6a-2+deb9u2.
Greetings
Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog
--- fig2dev-3.2.6a/debian/changelog 2019-07-27 10:22:45.000000000 +0200
+++ fig2dev-3.2.6a/debian/changelog 2019-12-04 22:22:00.000000000 +0100
@@ -1,3 +1,10 @@
+fig2dev (1:3.2.6a-2+deb9u3) stretch; urgency=medium
+
+ * 41_CVE-2019-19555: Allow Fig v2 text strings ending with multiple ^A.
+ This fixes CVE-2019-19555. Closes (#946176).
+
+ -- Roland Rosenfeld <roland@debian.org> Wed, 04 Dec 2019 22:22:00 +0100
+
fig2dev (1:3.2.6a-2+deb9u2) stretch; urgency=medium
* 40_circle_arrowhead: Do not segfault on circle/half circle arrowheads
diff -Nru fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch
--- fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch 2019-12-04 22:22:00.000000000 +0100
@@ -0,0 +1,27 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed Dec 4 17:56:04 2019 +0100
+Bug: https://sourceforge.net/p/mcj/tickets/55
+Bug-Debian: https://bugs.debian.org/946176
+Origin: https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/
+Subject: Allow Fig v2 text strings ending with multiple ^A.
+ This fixes CVE-2019-19555
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,6 +3,7 @@
+ * Copyright (c) 1991 by Micah Beck
+ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ * Parts Copyright (c) 1989-2002 by Brian V. Smith
++ * Parts Copyright (c) 2015-2019 by Thomas Loimer
+ *
+ * Any party obtaining a copy of these files is granted, free of charge, a
+ * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -1223,7 +1224,7 @@ read_textobject(FILE *fp)
+ If we do not find the CONTROL-A on this line then this must
+ be a multi-line text object and we will have to read more. */
+
+- n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%[\1]",
++ n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%1[\1]",
+ &t->type, &t->font, &t->size, &t->pen,
+ &t->color, &t->depth, &t->angle,
+ &t->flags, &t->height, &t->length,
diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series
--- fig2dev-3.2.6a/debian/patches/series 2019-07-27 10:22:45.000000000 +0200
+++ fig2dev-3.2.6a/debian/patches/series 2019-12-04 22:22:00.000000000 +0100
@@ -5,3 +5,4 @@
31_input_sanitizing.patch
32_fill-style-overflow.patch
40_circle_arrowhead.patch
+41_CVE-2019-19555.patch
Reply to: