Bug#883176: stretch-pu: package fig2dev/1:3.2.6a-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#883176: stretch-pu: package fig2dev/1:3.2.6a-2
From: Roland Rosenfeld <roland@debian.org>
Date: Thu, 30 Nov 2017 12:14:37 +0100
Message-id: <[🔎] 20171130111437.insgpiogjfz4go7o@dinghy.sail.spinnaker.de>
Reply-to: Roland Rosenfeld <roland@debian.org>, 883176@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Fix some minor security issues, which according to security team do
not warrant a DSA:

 * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
   files (Closes: #881143, #881144).
 * 32_fill-style-overflow: Sanitize input of fill patterns
   (Closes: #881396).

The patches are adapted from unstable/testing.

Greetings
Roland

diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog
--- fig2dev-3.2.6a/debian/changelog	2017-01-28 10:30:50.000000000 +0100
+++ fig2dev-3.2.6a/debian/changelog	2017-11-30 12:02:27.000000000 +0100
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.6a-2+deb9u1) stable; urgency=medium
+
+  * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
+    files (Closes: #881143, #881144).
+  * 32_fill-style-overflow: Sanitize input of fill patterns
+    (Closes: #881396).
+
+ -- Roland Rosenfeld <roland@debian.org>  Thu, 30 Nov 2017 12:02:27 +0100
+
 fig2dev (1:3.2.6a-2) unstable; urgency=medium
 
   * build-dep on etoolbox required with current texlive (Closes: #852915).
diff -Nru fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch
--- fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch	2017-11-30 12:02:27.000000000 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2017-16899 Some input sanitizing when reading FIG files.
+Bug-Debian: https://bugs.debian.org/881143
+Bug-Debian: https://bugs.debian.org/881144
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp)
+ 				| PSFONT_TEXT;
+ 
+ 	/* keep the font number reasonable */
+-	if (t->font > MAXFONT(t))
++       if (t->font > MAXFONT(t)) {
+ 		t->font = MAXFONT(t);
++       } else if (t->font < 0 ) {
++               if (psfont_text(t) && t->font < -1)
++                       t->font = -1;
++               else
++                       t->font = 0;
++       }
+ 	fix_and_note_color(&t->color);
+ 	t->comments = attach_comments();	/* attach any comments */
+ 	return t;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -470,6 +470,15 @@ read_textobject(FILE *fp)
+ 	    free((char*) t);
+ 	    return(NULL);
+ 	    }
++       /* keep the font number within valid range */
++       if (t->font > MAXFONT(t)) {
++               t->font = MAXFONT(t);
++       } else if (t->font < 0 ) {
++               if (psfont_text(t) && t->font < -1)
++                       t->font = -1;
++               else
++                       t->font = 0;
++       }
+ 	(void)strcpy(t->cstring, buf);
+ 	if (t->size == 0) t->size = 18;
+ 	return(t);
diff -Nru fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch
--- fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch	2017-11-30 12:02:27.000000000 +0100
@@ -0,0 +1,47 @@
+Description: Sanitize input of fill patterns.
+Bug-Debian: https://bugs.debian.org/881396
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -71,6 +71,8 @@ static int		 save_comment(void);
+ 
+ #define		FILL_CONVERT(f)	((v2_flag || (f) < WHITE_FILL) \
+ 					? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
++#define		FILL_SANITIZE(f)	((f) < UNFILLED || (f) >= \
++			NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
+ 
+ /* input buffer size */
+ #define		BUF_SIZE	1024
+@@ -547,6 +549,7 @@ read_arcobject(FILE *fp)
+ 	}
+ 	a->thickness *= round(THICK_SCALE);
+ 	a->fill_style = FILL_CONVERT(a->fill_style);
++	a->fill_style = FILL_SANITIZE(a->fill_style);
+ 	NOTE_FILL(a);
+ 	fix_and_note_color(&a->pen_color);
+ 	if (fa) {
+@@ -730,6 +733,7 @@ read_ellipseobject(void)
+ 	fix_and_note_color(&e->pen_color);
+ 	e->thickness *= round(THICK_SCALE);
+ 	e->fill_style = FILL_CONVERT(e->fill_style);
++	e->fill_style = FILL_SANITIZE(e->fill_style);
+ 	NOTE_FILL(e);
+ 	e->comments = attach_comments();	/* attach any comments */
+ 	return e;
+@@ -895,6 +899,7 @@ read_lineobject(FILE *fp)
+ 	l->radius *= round(THICK_SCALE);
+ 	l->thickness *= round(THICK_SCALE);
+ 	l->fill_style = FILL_CONVERT(l->fill_style);
++	l->fill_style = FILL_SANITIZE(l->fill_style);
+ 	NOTE_FILL(l);
+ 	fix_and_note_color(&l->pen_color);
+ 	if (fa) {
+@@ -1051,6 +1056,7 @@ read_splineobject(FILE *fp)
+ 	    }
+ 	s->thickness *= round(THICK_SCALE);
+ 	s->fill_style = FILL_CONVERT(s->fill_style);
++	s->fill_style = FILL_SANITIZE(s->fill_style);
+ 	NOTE_FILL(s);
+ 	fix_and_note_color(&s->pen_color);
+ 	if (fa) {
diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series
--- fig2dev-3.2.6a/debian/patches/series	2017-01-28 10:30:50.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/series	2017-11-30 12:02:27.000000000 +0100
@@ -2,3 +2,5 @@
 15_fig2mpdf-doc.patch
 28_fix_fig2dev_chmod.patch
 29_RGBFILE.patch
+31_input_sanitizing.patch
+32_fill-style-overflow.patch

Reply to:

Prev by Date: Bug#865537: stretch-pu: plasma 5.8.7 LTS pre-approval
Next by Date: Bug#883177: jessie-pu: package transfig/1:3.2.5.e-4
Previous by thread: Bug#865537: stretch-pu: plasma 5.8.7 LTS pre-approval
Next by thread: Bug#883177: jessie-pu: package transfig/1:3.2.5.e-4
Index(es):
- Date
- Thread