Bug#988974: buster-pu: package fig2dev/1:3.2.7a-5+deb10u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988974: buster-pu: package fig2dev/1:3.2.7a-5+deb10u4
From: Roland Rosenfeld <roland@spinnaker.de>
Date: Sat, 22 May 2021 11:47:47 +0200
Message-id: <[🔎] 20210522094747.GA4779@dinghy.sail.spinnaker.de>
Reply-to: Roland Rosenfeld <roland@spinnaker.de>, 988974@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

I prepared an update for fig2dev 1:3.2.7a-5+deb10u3 to deb10u4, which
in the first time fixes CVE-2021-3561 (the security team doesn't
intend to create a DSA but redirected me here).

Additionally it fixes four other buffer overflows, that are all fixed
upstream and I backported the fixes.

Last I added a mechanism, that rebuilds the testsuite (used at build
time as well as in autopkgtest) to activate the tests that are added
by the above patches.

The salsa pipeline succeeded on this:
https://salsa.debian.org/debian/fig2dev/-/pipelines/256545

A diff against 3.2.7a-5+deb10u3 is attached.

Greetings
Roland

-- System Information:
Debian Release: 10.9
  APT prefers stable
  APT policy: (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8), LANGUAGE=de_DE:de:en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru fig2dev-3.2.7a/debian/changelog fig2dev-3.2.7a/debian/changelog
--- fig2dev-3.2.7a/debian/changelog	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/changelog	2021-05-22 11:20:55.000000000 +0200
@@ -1,3 +1,16 @@
+fig2dev (1:3.2.7a-5+deb10u4) buster; urgency=medium
+
+  * 44_CVE-2021-3561: Fix buffer overflow color definitions.  This fixes
+    CVE-2021-3561.
+  * Rename gitlab.yml to salsa.yml to activate pipeline again.
+  * 45_polyline2polygon: Convert polygons having too few points to polylines.
+  * 46_arrow-poly: Remove arrows from polygon with single point.
+  * 47_trunc-subsuper: Allow truncated sub/superscripts in text.
+  * 48_arrow-point: Omit arrows without points in svg output.
+  * Rebuild testsuite during build and in autopkgtest.
+
+ -- Roland Rosenfeld <roland@debian.org>  Sat, 22 May 2021 11:20:55 +0200
+
 fig2dev (1:3.2.7a-5+deb10u3) buster; urgency=medium
 
   * 42_CVE-2019-19746: Reject huge arrow types causing integer overflow.
diff -Nru fig2dev-3.2.7a/debian/gitlab-ci.yml fig2dev-3.2.7a/debian/gitlab-ci.yml
--- fig2dev-3.2.7a/debian/gitlab-ci.yml	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/gitlab-ci.yml	1970-01-01 01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
----
-include:
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-
-variables:
-  RELEASE: 'buster'
diff -Nru fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch
--- fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun Apr 25 00:49:15 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/116/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926677
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/
+Subject: Sanitize color definitions, ticket #116 (CVE-2021-3561)
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -539,30 +539,37 @@ read_colordef(char *line, int line_no)
+ 
+ 	if (num_usr_cols >= MAX_USR_COLS) {
+ 		if (num_usr_cols == MAX_USR_COLS) {
+-			put_msg("Maximum number of color definitions (%d) exceeded at line %d.",
++			put_msg("Maximum number of color definitions (%d) "
++					"exceeded at line %d.",
+ 					MAX_USR_COLS, line_no);
+ 			++num_usr_cols;
+ 		}
+ 		/* ignore additional colors */
+ 		return;
+ 	}
+-	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) {
+-		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) {
+-			put_msg("Invalid color definition at line %d: %s, setting to black (#00000).",
+-					line_no, line);
+-			r = g = b = 0;
+-		} else {
+-			put_msg("User color number at line %d out of range (%d), should be between %d and %d.",
++	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) {
++		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS &&
++				r >=0 && r < 256 && g >=0 && g < 256 &&
++				b >= 0 && b < 256 ) {
++			user_col_indx[num_usr_cols] = c;
++			user_colors[num_usr_cols].r = r;
++			user_colors[num_usr_cols].g = g;
++			user_colors[num_usr_cols].b = b;
++			++num_usr_cols;
++		} else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) {
++			put_msg("User color number at line %d out of range (%d)"
++					", should be between %d and %d.",
+ 					line_no, c, NUM_STD_COLS,
+ 					NUM_STD_COLS + MAX_USR_COLS - 1);
+-			return;
++		} else {
++			put_msg("Invalid color definition at line %d: %s, color"
++				       " values must be between 0 through 255.",
++								line_no, line);
+ 		}
++	} else {
++		put_msg("Invalid color definition at line %d: %s.",
++							line_no, line);
+ 	}
+-	user_col_indx[num_usr_cols] = c;
+-	user_colors[num_usr_cols].r = r;
+-	user_colors[num_usr_cols].g = g;
+-	user_colors[num_usr_cols].b = b;
+-	++num_usr_cols;
+ }
+ 
+ static void
diff -Nru fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch
--- fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,62 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed Dec 11 21:36:46 2019 +0100
+Bug: https://sourceforge.net/p/mcj/tickets/56/
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/c379fe50574e5b5dd6e17f15d8473c5713d1b823/
+Subject: Convert polygons with too few points to polylines
+    
+    As a side effect, this also fixes ticket #56.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -877,8 +877,10 @@ read_ellipseobject(char *line, int line_
+ /*
+  * Sanitize line objects. Return 0 on success, -1 otherwise.
+  * On error, call free_linestorage(l) after sanitize_lineobject().
++ *
+  * polylines: remove fill, if less than 3 points
+  *		remove arrows, if only one point
++ * polygons: convert to polyline if less than 3 unique points
+  * rectangles, polygons: last point must coincide with first point
+  * rectangle: convert to polygon, if not 5 points
+  * rectangle with rounded corners: error, if not 5 points
+@@ -939,6 +941,20 @@ sanitize_lineobject(
+ 	    q->y = l->points->y;
+ 	}
+ 
++	if (l->type == T_POLYGON) {
++		int	npts;
++
++		q = l->points;
++		for (npts = 1; q->next && npts < 4; q = q->next)
++			++npts;
++		if (npts < 4 ) {
++			put_msg("A polygon with %d points at line %d - convert to a polyline.",
++			npts, line_no);
++			l->type = T_POLYLINE;
++			return 0;
++		}
++	}
++
+ 	if (l->type == T_BOX || l->type == T_ARC_BOX || l->type == T_PIC_BOX) {
+ 	    int	npts = 1;
+ 	    for (q = l->points; q->next; q = q->next)
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -135,6 +135,17 @@ A single point with a backward arrow - r
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert short polygon to polyline, ticket #56])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L ptk <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0.0 0 0 -1 0 0 1
++	0 0
++EOF
++], 0, ignore, [A polygon with 1 points at line 11 - convert to a polyline.
++])
++AT_CLEANUP
++
+ AT_SETUP([reject negative font type])
+ AT_KEYWORDS(read.c font)
+ AT_CHECK([fig2dev -L box <<EOF
diff -Nru fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch
--- fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Fri Apr 23 22:31:27 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/114/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926673
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/
+Subject: Remove arrows from polygon with single point, ticket #114
+ When sanitizing line objects, a polygon consisting of too few points is
+ converted to a polyline. With this commit, the resulting polyline is
+ also sanitized, e.g, by removing arrow tips if the line consists only of
+ a single point.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -951,6 +951,7 @@ sanitize_lineobject(
+ 			put_msg("A polygon with %d points at line %d - convert to a polyline.",
+ 			npts, line_no);
+ 			l->type = T_POLYLINE;
++			sanitize_lineobject(l, p, line_no);
+ 			return 0;
+ 		}
+ 	}
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -121,7 +121,7 @@ EOF
+ ])
+ AT_CLEANUP
+ 
+-AT_SETUP([remove arrows tips from single point])
++AT_SETUP([remove arrow tips from single point])
+ AT_KEYWORDS(read.c polyline)
+ AT_CHECK([fig2dev -L pict2e <<EOF
+ FIG_FILE_TOP
+@@ -134,6 +134,19 @@ EOF
+ A single point with a backward arrow - remove the arrow.
+ ])
+ AT_CLEANUP
++
++AT_SETUP([remove arrow tips on polygon with single point])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
++	0 0 2. 120. 240.
++	0 0
++EOF
++],0,ignore,[A polygon with 1 points at line 12 - convert to a polyline.
++A single point with a backward arrow - remove the arrow.
++])
++AT_CLEANUP
+ 
+ AT_SETUP([convert short polygon to polyline, ticket #56])
+ AT_KEYWORDS(read.c polygon)
diff -Nru fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch
--- fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,71 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 10:29:59 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/113/
+Bug: https://sourceforge.net/p/mcj/tickets/117/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926674
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/
+Subject: Allow truncated sub/superscripts in text, #113, #117
+ For svg output, sub- and superscripts are indicated by the ^ and _
+ characters, respectively. A text string truncated right after these
+ characters caused buffer overflow. Fixes tickets #113 and #117.
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -969,7 +969,7 @@ gensvg_text(F_text *t)
+ #endif
+ 		for (cp = (unsigned char *) t->cstring; *cp; cp++) {
+ 			ch = *cp;
+-			if (( supsub == 2 &&ch == '}' ) || supsub==1) {
++			if ((supsub == 2 && ch == '}') || supsub==1) {
+ #ifdef NOSUPER
+ 				fprintf(tfp,"</tspan><tspan dy=\"%d\">",-dy);
+ 				old_dy=-dy;
+@@ -983,6 +983,8 @@ gensvg_text(F_text *t)
+ 				}
+ 			}
+ 			if (ch == '_' || ch == '^') {
++				if (*(cp + 1) == '\0')
++					break;
+ 				supsub=1;
+ #ifdef NOSUPER
+ 				if (dy != 0)
+@@ -1007,6 +1009,8 @@ gensvg_text(F_text *t)
+ 				++cp;
+ 				ch = *cp;
+ 				if (ch == '{' ) {
++					if (*(cp + 1) == '\0')
++						break;
+ 					supsub=2;
+ 					++cp;
+ 					ch = *cp;
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -155,6 +155,17 @@ AT_CHECK([SOURCE_DATE_EPOCH=1483564881 f
+ 	$srcdir/data/fillswclip.fig | diff - $srcdir/data/fillswclip.svg])
+ AT_CLEANUP
+ 
++AT_SETUP([truncated sub/superscript, tickets #113, #117])
++AT_KEYWORDS(read.c svg)
++AT_CHECK([fig2dev -L svg <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 0 6 110 376 0 0 ^
++4 2 0 0 1 0 0 0 6 110 376 0 200 ^{
++EOF
++], 0, ignore)
++AT_CLEANUP
++
+ 
+ AT_BANNER([Test tikz output language.])
+ 
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -136,7 +136,7 @@ A single point with a backward arrow - r
+ AT_CLEANUP
+ 
+ AT_SETUP([remove arrow tips on polygon with single point])
+-AT_KEYWORDS(read.c polygon)
++AT_KEYWORDS(read.c polygon svg)
+ AT_CHECK([fig2dev -L svg <<EOF
+ FIG_FILE_TOP
+ 2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
diff -Nru fig2dev-3.2.7a/debian/patches/48_arrow-point.patch fig2dev-3.2.7a/debian/patches/48_arrow-point.patch
--- fig2dev-3.2.7a/debian/patches/48_arrow-point.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/48_arrow-point.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,54 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 23:04:36 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/115/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926676
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/
+Subject: Omit arrows without points in svg output, ticket #115
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -1145,7 +1145,7 @@ svg_arrows(int line_thickness, F_arrow *
+ 	return true;
+     }
+ 
+-    if (for_arrow) {
++    if (for_arrow && fnpoints > 1) {
+ 	fputs("<!-- Forward arrow", tfp);
+ 	arrow_path(for_arrow, forw2, pen_color, fnpoints, fpoints,
+ 		fnfillpoints, ffillpoints
+@@ -1154,7 +1154,7 @@ svg_arrows(int line_thickness, F_arrow *
+ #endif
+ 		);
+     }
+-    if (back_arrow) {
++    if (back_arrow && bnpoints > 1) {
+ 	fputs("<!-- Backward arrow", tfp);
+ 	arrow_path(back_arrow, back2, pen_color, bnpoints, bpoints,
+ 		bnfillpoints, bfillpoints
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -115,6 +115,7 @@ AT_CHECK([fig2dev -L pict2e -G0.2:1cm de
+ AT_CLEANUP
+ 
+ 
++
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+ AT_KEYWORDS(svg pattern creationdate)
+@@ -166,6 +167,16 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([omit arrows without points, ticket #115])
++AT_KEYWORDS(svg arrow)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++5 1 0 1 7 7 44 -1 6 0.000 0 1 1 1 50 -1 -1500 200 -1 7 50 -1  900 750 975
++	0 0 1.00 45.00 90.00
++	5 0 1.003 1426 1068 1426
++EOF], 0, ignore)
++AT_CLEANUP
++
+ 
+ AT_BANNER([Test tikz output language.])
+ 
diff -Nru fig2dev-3.2.7a/debian/patches/series fig2dev-3.2.7a/debian/patches/series
--- fig2dev-3.2.7a/debian/patches/series	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/series	2021-05-22 11:20:55.000000000 +0200
@@ -15,3 +15,8 @@
 41_CVE-2019-19555.patch
 42_CVE-2019-19746.patch
 43_fgets2getline.patch
+44_CVE-2021-3561.patch
+45_polygon2polyline.patch
+46_arroy-poly.patch
+47_trunc-subsuper.patch
+48_arrow-point.patch
diff -Nru fig2dev-3.2.7a/debian/rules fig2dev-3.2.7a/debian/rules
--- fig2dev-3.2.7a/debian/rules	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/rules	2021-05-22 11:20:55.000000000 +0200
@@ -21,6 +21,8 @@
 	fi
 
 	dh_auto_configure -- --enable-transfig
+# 	rebuild testsuite:
+	(cd fig2dev/tests; rm -f testsuite; make testsuite)
 
 override_dh_auto_build:
 	dh_auto_build
diff -Nru fig2dev-3.2.7a/debian/salsa-ci.yml fig2dev-3.2.7a/debian/salsa-ci.yml
--- fig2dev-3.2.7a/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/salsa-ci.yml	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,7 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'buster'
diff -Nru fig2dev-3.2.7a/debian/tests/fig2dev-testsuite fig2dev-3.2.7a/debian/tests/fig2dev-testsuite
--- fig2dev-3.2.7a/debian/tests/fig2dev-testsuite	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/tests/fig2dev-testsuite	2021-05-22 11:20:55.000000000 +0200
@@ -10,6 +10,9 @@
 dh_auto_configure >/dev/null 2>&1
 
 cd fig2dev/tests
+echo "Rebuild testsuite"
+rm -f testsuite
+make testsuite
 echo "Running check and installcheck" # (check builds check_PROGRAMS)
 make check installcheck

Reply to:

Follow-Ups:
- Bug#988974: buster-pu: package fig2dev/1:3.2.7a-5+deb10u4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#988974: buster-pu: package fig2dev/1:3.2.7a-5+deb10u4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#988968: unblock: e17/0.24.2-6
Next by Date: Bug#988977: buster-pu: package libbusiness-us-usps-webtools-perl/1.122-1+deb10u1
Previous by thread: Bug#988970: marked as done (unblock: flask-sqlalchemy/2.5.1-1)
Next by thread: Bug#988974: buster-pu: package fig2dev/1:3.2.7a-5+deb10u4
Index(es):
- Date
- Thread