--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package fig2dev/1:3.2.6a-2
- From: Roland Rosenfeld <roland@debian.org>
- Date: Thu, 30 Nov 2017 12:14:37 +0100
- Message-id: <20171130111437.insgpiogjfz4go7o@dinghy.sail.spinnaker.de>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Fix some minor security issues, which according to security team do
not warrant a DSA:
* CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
files (Closes: #881143, #881144).
* 32_fill-style-overflow: Sanitize input of fill patterns
(Closes: #881396).
The patches are adapted from unstable/testing.
Greetings
Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog
--- fig2dev-3.2.6a/debian/changelog 2017-01-28 10:30:50.000000000 +0100
+++ fig2dev-3.2.6a/debian/changelog 2017-11-30 12:02:27.000000000 +0100
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.6a-2+deb9u1) stable; urgency=medium
+
+ * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
+ files (Closes: #881143, #881144).
+ * 32_fill-style-overflow: Sanitize input of fill patterns
+ (Closes: #881396).
+
+ -- Roland Rosenfeld <roland@debian.org> Thu, 30 Nov 2017 12:02:27 +0100
+
fig2dev (1:3.2.6a-2) unstable; urgency=medium
* build-dep on etoolbox required with current texlive (Closes: #852915).
diff -Nru fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch
--- fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch 2017-11-30 12:02:27.000000000 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2017-16899 Some input sanitizing when reading FIG files.
+Bug-Debian: https://bugs.debian.org/881143
+Bug-Debian: https://bugs.debian.org/881144
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp)
+ | PSFONT_TEXT;
+
+ /* keep the font number reasonable */
+- if (t->font > MAXFONT(t))
++ if (t->font > MAXFONT(t)) {
+ t->font = MAXFONT(t);
++ } else if (t->font < 0 ) {
++ if (psfont_text(t) && t->font < -1)
++ t->font = -1;
++ else
++ t->font = 0;
++ }
+ fix_and_note_color(&t->color);
+ t->comments = attach_comments(); /* attach any comments */
+ return t;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -470,6 +470,15 @@ read_textobject(FILE *fp)
+ free((char*) t);
+ return(NULL);
+ }
++ /* keep the font number within valid range */
++ if (t->font > MAXFONT(t)) {
++ t->font = MAXFONT(t);
++ } else if (t->font < 0 ) {
++ if (psfont_text(t) && t->font < -1)
++ t->font = -1;
++ else
++ t->font = 0;
++ }
+ (void)strcpy(t->cstring, buf);
+ if (t->size == 0) t->size = 18;
+ return(t);
diff -Nru fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch
--- fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch 2017-11-30 12:02:27.000000000 +0100
@@ -0,0 +1,47 @@
+Description: Sanitize input of fill patterns.
+Bug-Debian: https://bugs.debian.org/881396
+Author: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -71,6 +71,8 @@ static int save_comment(void);
+
+ #define FILL_CONVERT(f) ((v2_flag || (f) < WHITE_FILL) \
+ ? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
++#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \
++ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
+
+ /* input buffer size */
+ #define BUF_SIZE 1024
+@@ -547,6 +549,7 @@ read_arcobject(FILE *fp)
+ }
+ a->thickness *= round(THICK_SCALE);
+ a->fill_style = FILL_CONVERT(a->fill_style);
++ a->fill_style = FILL_SANITIZE(a->fill_style);
+ NOTE_FILL(a);
+ fix_and_note_color(&a->pen_color);
+ if (fa) {
+@@ -730,6 +733,7 @@ read_ellipseobject(void)
+ fix_and_note_color(&e->pen_color);
+ e->thickness *= round(THICK_SCALE);
+ e->fill_style = FILL_CONVERT(e->fill_style);
++ e->fill_style = FILL_SANITIZE(e->fill_style);
+ NOTE_FILL(e);
+ e->comments = attach_comments(); /* attach any comments */
+ return e;
+@@ -895,6 +899,7 @@ read_lineobject(FILE *fp)
+ l->radius *= round(THICK_SCALE);
+ l->thickness *= round(THICK_SCALE);
+ l->fill_style = FILL_CONVERT(l->fill_style);
++ l->fill_style = FILL_SANITIZE(l->fill_style);
+ NOTE_FILL(l);
+ fix_and_note_color(&l->pen_color);
+ if (fa) {
+@@ -1051,6 +1056,7 @@ read_splineobject(FILE *fp)
+ }
+ s->thickness *= round(THICK_SCALE);
+ s->fill_style = FILL_CONVERT(s->fill_style);
++ s->fill_style = FILL_SANITIZE(s->fill_style);
+ NOTE_FILL(s);
+ fix_and_note_color(&s->pen_color);
+ if (fa) {
diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series
--- fig2dev-3.2.6a/debian/patches/series 2017-01-28 10:30:50.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/series 2017-11-30 12:02:27.000000000 +0100
@@ -2,3 +2,5 @@
15_fig2mpdf-doc.patch
28_fix_fig2dev_chmod.patch
29_RGBFILE.patch
+31_input_sanitizing.patch
+32_fill-style-overflow.patch
--- End Message ---