Bug#883177: jessie-pu: package transfig/1:3.2.5.e-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#883177: jessie-pu: package transfig/1:3.2.5.e-4
From: Roland Rosenfeld <roland@debian.org>
Date: Thu, 30 Nov 2017 12:24:10 +0100
Message-id: <[🔎] 20171130112410.a7conaszcrxdkq2w@dinghy.sail.spinnaker.de>
Reply-to: Roland Rosenfeld <roland@debian.org>, 883177@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Fix some minor security issues, which according to security team do
not warrant a DSA:

  * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG
    files (Closes: #881143, #881144).
  * 34_fill-style-overflow: Sanitize input of fill patterns
    (Closes: #881396).

The patches are adapted from unstable/testing.

Greetings
Roland

diff -Nru transfig-3.2.5.e/debian/changelog transfig-3.2.5.e/debian/changelog
--- transfig-3.2.5.e/debian/changelog	2014-08-26 10:06:01.000000000 +0200
+++ transfig-3.2.5.e/debian/changelog	2017-11-30 12:17:07.000000000 +0100
@@ -1,3 +1,12 @@
+transfig (1:3.2.5.e-4+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG
+    files (Closes: #881143, #881144).
+  * 34_fill-style-overflow: Sanitize input of fill patterns
+    (Closes: #881396).
+
+ -- Roland Rosenfeld <roland@debian.org>  Thu, 30 Nov 2017 12:17:07 +0100
+
 transfig (1:3.2.5.e-4) unstable; urgency=low
 
   * 32_dev_Imake_typo: use gengbx.c instead of gengbx.o in SRCS, otherwise
diff -Nru transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch
--- transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch	1970-01-01 01:00:00.000000000 +0100
+++ transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch	2017-11-30 12:17:07.000000000 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2017-16899 Some input sanitizing when reading FIG files.
+Bug-Debian: https://bugs.debian.org/881143
+Bug-Debian: https://bugs.debian.org/881144
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1204,8 +1204,14 @@ FILE	*fp;
+ 				| PSFONT_TEXT;
+ 
+ 	/* keep the font number reasonable */
+-	if (t->font > MAXFONT(t))
++	if (t->font > MAXFONT(t)) {
+ 		t->font = MAXFONT(t);
++	} else if (t->font < 0 ) {
++		if (psfont_text(t) && t->font < -1)
++			t->font = -1;
++		else
++			t->font = 0;
++	}
+ 	fix_color(&t->color);
+ 	t->comments = attach_comments();	/* attach any comments */
+ 	return t;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -465,6 +465,15 @@ FILE	*fp;
+ 	    free((char*) t);
+ 	    return(NULL);
+ 	    }
++       /* keep the font number within valid range */
++       if (t->font > MAXFONT(t)) {
++               t->font = MAXFONT(t);
++       } else if (t->font < 0 ) {
++               if (psfont_text(t) && t->font < -1)
++                       t->font = -1;
++               else
++                       t->font = 0;
++       }
+ 	(void)strcpy(t->cstring, buf);
+ 	if (t->size == 0) t->size = 18;
+ 	return(t);
diff -Nru transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch
--- transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch	2017-11-30 12:17:07.000000000 +0100
@@ -0,0 +1,47 @@
+Description: Sanitize input of fill patterns.
+Bug-Debian: https://bugs.debian.org/881396
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -61,6 +61,8 @@ static int		 save_comment();
+ #define			FILL_CONVERT(f) \
+ 				((v2_flag || (f) < WHITE_FILL) \
+ 					? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
++#define		FILL_SANITIZE(f)	((f) < UNFILLED || (f) >= \
++			NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
+ 
+ /* input buffer size */
+ #define		BUF_SIZE	1024
+@@ -527,6 +529,7 @@ FILE	*fp;
+ 	}
+ 	a->thickness *= round(THICK_SCALE);
+ 	a->fill_style = FILL_CONVERT(a->fill_style);
++	a->fill_style = FILL_SANITIZE(a->fill_style);
+ 	/* keep track if pattern is used */
+ 	note_pattern(a->fill_style);
+ 	fix_color(&a->pen_color);
+@@ -718,6 +721,7 @@ read_ellipseobject()
+ 	fix_color(&e->fill_color);
+ 	e->thickness *= round(THICK_SCALE);
+ 	e->fill_style = FILL_CONVERT(e->fill_style);
++	e->fill_style = FILL_SANITIZE(e->fill_style);
+ 	/* keep track if pattern is used */
+ 	note_pattern(e->fill_style);
+ 	e->comments = attach_comments();	/* attach any comments */
+@@ -786,6 +790,7 @@ FILE	*fp;
+ 	l->radius *= round(THICK_SCALE);
+ 	l->thickness *= round(THICK_SCALE);
+ 	l->fill_style = FILL_CONVERT(l->fill_style);
++	l->fill_style = FILL_SANITIZE(l->fill_style);
+ 
+ 	/* keep track if pattern is used */
+ 	note_pattern(l->fill_style);
+@@ -925,6 +930,7 @@ FILE	*fp;
+ 	    }
+ 	s->thickness *= round(THICK_SCALE);
+ 	s->fill_style = FILL_CONVERT(s->fill_style);
++	s->fill_style = FILL_SANITIZE(s->fill_style);
+ 	/* keep track if pattern is used */
+ 	note_pattern(s->fill_style);
+ 	fix_color(&s->pen_color);
diff -Nru transfig-3.2.5.e/debian/patches/series transfig-3.2.5.e/debian/patches/series
--- transfig-3.2.5.e/debian/patches/series	2014-08-26 10:06:06.000000000 +0200
+++ transfig-3.2.5.e/debian/patches/series	2017-11-30 12:17:07.000000000 +0100
@@ -18,3 +18,5 @@
 30_fprintf_format.patch
 31_index_not_static.patch
 32_dev_Imake_typo.patch
+33_input_sanitizing.patch
+34_fill-style-overflow.patch

Reply to:

Prev by Date: Bug#883176: stretch-pu: package fig2dev/1:3.2.6a-2
Next by Date: Bug#852849: jessie-pu: package keyringer/0.3.7-1
Previous by thread: Bug#883176: stretch-pu: package fig2dev/1:3.2.6a-2
Next by thread: Bug#852849: jessie-pu: package keyringer/0.3.7-1
Index(es):
- Date
- Thread