Bug#883177: jessie-pu: package transfig/1:3.2.5.e-4
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Fix some minor security issues, which according to security team do
not warrant a DSA:
* CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG
files (Closes: #881143, #881144).
* 34_fill-style-overflow: Sanitize input of fill patterns
(Closes: #881396).
The patches are adapted from unstable/testing.
Greetings
Roland
diff -Nru transfig-3.2.5.e/debian/changelog transfig-3.2.5.e/debian/changelog
--- transfig-3.2.5.e/debian/changelog 2014-08-26 10:06:01.000000000 +0200
+++ transfig-3.2.5.e/debian/changelog 2017-11-30 12:17:07.000000000 +0100
@@ -1,3 +1,12 @@
+transfig (1:3.2.5.e-4+deb8u1) jessie-proposed-updates; urgency=medium
+
+ * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG
+ files (Closes: #881143, #881144).
+ * 34_fill-style-overflow: Sanitize input of fill patterns
+ (Closes: #881396).
+
+ -- Roland Rosenfeld <roland@debian.org> Thu, 30 Nov 2017 12:17:07 +0100
+
transfig (1:3.2.5.e-4) unstable; urgency=low
* 32_dev_Imake_typo: use gengbx.c instead of gengbx.o in SRCS, otherwise
diff -Nru transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch
--- transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch 1970-01-01 01:00:00.000000000 +0100
+++ transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch 2017-11-30 12:17:07.000000000 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2017-16899 Some input sanitizing when reading FIG files.
+Bug-Debian: https://bugs.debian.org/881143
+Bug-Debian: https://bugs.debian.org/881144
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1204,8 +1204,14 @@ FILE *fp;
+ | PSFONT_TEXT;
+
+ /* keep the font number reasonable */
+- if (t->font > MAXFONT(t))
++ if (t->font > MAXFONT(t)) {
+ t->font = MAXFONT(t);
++ } else if (t->font < 0 ) {
++ if (psfont_text(t) && t->font < -1)
++ t->font = -1;
++ else
++ t->font = 0;
++ }
+ fix_color(&t->color);
+ t->comments = attach_comments(); /* attach any comments */
+ return t;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -465,6 +465,15 @@ FILE *fp;
+ free((char*) t);
+ return(NULL);
+ }
++ /* keep the font number within valid range */
++ if (t->font > MAXFONT(t)) {
++ t->font = MAXFONT(t);
++ } else if (t->font < 0 ) {
++ if (psfont_text(t) && t->font < -1)
++ t->font = -1;
++ else
++ t->font = 0;
++ }
+ (void)strcpy(t->cstring, buf);
+ if (t->size == 0) t->size = 18;
+ return(t);
diff -Nru transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch
--- transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch 2017-11-30 12:17:07.000000000 +0100
@@ -0,0 +1,47 @@
+Description: Sanitize input of fill patterns.
+Bug-Debian: https://bugs.debian.org/881396
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -61,6 +61,8 @@ static int save_comment();
+ #define FILL_CONVERT(f) \
+ ((v2_flag || (f) < WHITE_FILL) \
+ ? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
++#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \
++ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
+
+ /* input buffer size */
+ #define BUF_SIZE 1024
+@@ -527,6 +529,7 @@ FILE *fp;
+ }
+ a->thickness *= round(THICK_SCALE);
+ a->fill_style = FILL_CONVERT(a->fill_style);
++ a->fill_style = FILL_SANITIZE(a->fill_style);
+ /* keep track if pattern is used */
+ note_pattern(a->fill_style);
+ fix_color(&a->pen_color);
+@@ -718,6 +721,7 @@ read_ellipseobject()
+ fix_color(&e->fill_color);
+ e->thickness *= round(THICK_SCALE);
+ e->fill_style = FILL_CONVERT(e->fill_style);
++ e->fill_style = FILL_SANITIZE(e->fill_style);
+ /* keep track if pattern is used */
+ note_pattern(e->fill_style);
+ e->comments = attach_comments(); /* attach any comments */
+@@ -786,6 +790,7 @@ FILE *fp;
+ l->radius *= round(THICK_SCALE);
+ l->thickness *= round(THICK_SCALE);
+ l->fill_style = FILL_CONVERT(l->fill_style);
++ l->fill_style = FILL_SANITIZE(l->fill_style);
+
+ /* keep track if pattern is used */
+ note_pattern(l->fill_style);
+@@ -925,6 +930,7 @@ FILE *fp;
+ }
+ s->thickness *= round(THICK_SCALE);
+ s->fill_style = FILL_CONVERT(s->fill_style);
++ s->fill_style = FILL_SANITIZE(s->fill_style);
+ /* keep track if pattern is used */
+ note_pattern(s->fill_style);
+ fix_color(&s->pen_color);
diff -Nru transfig-3.2.5.e/debian/patches/series transfig-3.2.5.e/debian/patches/series
--- transfig-3.2.5.e/debian/patches/series 2014-08-26 10:06:06.000000000 +0200
+++ transfig-3.2.5.e/debian/patches/series 2017-11-30 12:17:07.000000000 +0100
@@ -18,3 +18,5 @@
30_fprintf_format.patch
31_index_not_static.patch
32_dev_Imake_typo.patch
+33_input_sanitizing.patch
+34_fill-style-overflow.patch
Reply to: