Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu This fixes CVE-2019-14275 in stretch. Since this is tagged "unimportant" by the security team on https://security-tracker.debian.org/tracker/CVE-2019-14275 they won't publish a DSA, so I tend to send this into the next point release of buster. Attached you'll find the diff against 3.2.6a-2+deb9u1. Greetings Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog
--- fig2dev-3.2.6a/debian/changelog 2017-11-30 12:02:27.000000000 +0100
+++ fig2dev-3.2.6a/debian/changelog 2019-07-27 10:22:45.000000000 +0200
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.6a-2+deb9u2) stretch; urgency=medium
+
+ * 40_circle_arrowhead: Do not segfault on circle/half circle arrowheads
+ with a magnification larger 42. This fixes CVE-2019-14275.
+ (Closes: #933075).
+ * Adapt salsa CI pipeline to stretch release.
+
+ -- Roland Rosenfeld <roland@debian.org> Sat, 27 Jul 2019 10:22:45 +0200
+
fig2dev (1:3.2.6a-2+deb9u1) stretch; urgency=medium
* CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
diff -Nru fig2dev-3.2.6a/debian/gitlab-ci.yml fig2dev-3.2.6a/debian/gitlab-ci.yml
--- fig2dev-3.2.6a/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/gitlab-ci.yml 2019-07-27 10:22:45.000000000 +0200
@@ -0,0 +1,7 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'stretch'
diff -Nru fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch
--- fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch 2019-07-27 10:22:45.000000000 +0200
@@ -0,0 +1,35 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Fri Jul 26 23:25:50 2019 +0200
+Bug-Debian: https://bugs.debian.org/933075
+Bug: https://sourceforge.net/p/mcj/tickets/52/
+Origin: https://sourceforge.net/p/mcj/fig2dev/ci/03ea45
+Subject: Allow circle arrowheads when mag >= 42, ticket #52
+ Circle and half-circle arrowheads would be drawn with 40 + mag/4 points by
+ calc_arrow() in bound.c. However, the point arrays passed to calc_arrow()
+ would only contain 50 points. With a magnification >= 42, a buffer overrun
+ would occur. Simply use 40 points, independent of magnification.
+ .
+ This fixes CVE-2019-14275
+
+--- a/fig2dev/bound.c
++++ b/fig2dev/bound.c
+@@ -905,7 +905,7 @@ calc_arrow(int x1, int y1, int x2, int y
+ /*
+ * CIRCLE and HALF-CIRCLE arrowheads
+ *
+- * We approximate circles with (40+zoom)/4 points
++ * We approximate circles with 40 points
+ */
+ double maxx;
+ double fix_x, fix_y, xs, ys;
+@@ -936,8 +936,8 @@ calc_arrow(int x1, int y1, int x2, int y
+ dy = my - ys;
+ fix_x = xs + (dx / 2.0);
+ fix_y = ys + (dy / 2.0);
+- /* choose number of points for circle - 40+mag/4 points */
+- *npoints = np = round(mag/4.0) + 40;
++ /* choose number of points for circle */
++ *npoints = np = 40;
+
+ if (type == 5) {
+ /* full circle */
diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series
--- fig2dev-3.2.6a/debian/patches/series 2017-11-30 12:02:27.000000000 +0100
+++ fig2dev-3.2.6a/debian/patches/series 2019-07-27 10:22:45.000000000 +0200
@@ -4,3 +4,4 @@
29_RGBFILE.patch
31_input_sanitizing.patch
32_fill-style-overflow.patch
+40_circle_arrowhead.patch
Attachment:
signature.asc
Description: PGP signature