[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988974: marked as done (buster-pu: package fig2dev/1:3.2.7a-5+deb10u4)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #988974,
regarding buster-pu: package fig2dev/1:3.2.7a-5+deb10u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988974
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

I prepared an update for fig2dev 1:3.2.7a-5+deb10u3 to deb10u4, which
in the first time fixes CVE-2021-3561 (the security team doesn't
intend to create a DSA but redirected me here).

Additionally it fixes four other buffer overflows, that are all fixed
upstream and I backported the fixes.

Last I added a mechanism, that rebuilds the testsuite (used at build
time as well as in autopkgtest) to activate the tests that are added
by the above patches.

The salsa pipeline succeeded on this:
https://salsa.debian.org/debian/fig2dev/-/pipelines/256545

A diff against 3.2.7a-5+deb10u3 is attached.

Greetings
Roland

-- System Information:
Debian Release: 10.9
  APT prefers stable
  APT policy: (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8), LANGUAGE=de_DE:de:en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru fig2dev-3.2.7a/debian/changelog fig2dev-3.2.7a/debian/changelog
--- fig2dev-3.2.7a/debian/changelog	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/changelog	2021-05-22 11:20:55.000000000 +0200
@@ -1,3 +1,16 @@
+fig2dev (1:3.2.7a-5+deb10u4) buster; urgency=medium
+
+  * 44_CVE-2021-3561: Fix buffer overflow color definitions.  This fixes
+    CVE-2021-3561.
+  * Rename gitlab.yml to salsa.yml to activate pipeline again.
+  * 45_polyline2polygon: Convert polygons having too few points to polylines.
+  * 46_arrow-poly: Remove arrows from polygon with single point.
+  * 47_trunc-subsuper: Allow truncated sub/superscripts in text.
+  * 48_arrow-point: Omit arrows without points in svg output.
+  * Rebuild testsuite during build and in autopkgtest.
+
+ -- Roland Rosenfeld <roland@debian.org>  Sat, 22 May 2021 11:20:55 +0200
+
 fig2dev (1:3.2.7a-5+deb10u3) buster; urgency=medium
 
   * 42_CVE-2019-19746: Reject huge arrow types causing integer overflow.
diff -Nru fig2dev-3.2.7a/debian/gitlab-ci.yml fig2dev-3.2.7a/debian/gitlab-ci.yml
--- fig2dev-3.2.7a/debian/gitlab-ci.yml	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/gitlab-ci.yml	1970-01-01 01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
----
-include:
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-
-variables:
-  RELEASE: 'buster'
diff -Nru fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch
--- fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun Apr 25 00:49:15 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/116/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926677
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/
+Subject: Sanitize color definitions, ticket #116 (CVE-2021-3561)
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -539,30 +539,37 @@ read_colordef(char *line, int line_no)
+ 
+ 	if (num_usr_cols >= MAX_USR_COLS) {
+ 		if (num_usr_cols == MAX_USR_COLS) {
+-			put_msg("Maximum number of color definitions (%d) exceeded at line %d.",
++			put_msg("Maximum number of color definitions (%d) "
++					"exceeded at line %d.",
+ 					MAX_USR_COLS, line_no);
+ 			++num_usr_cols;
+ 		}
+ 		/* ignore additional colors */
+ 		return;
+ 	}
+-	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) {
+-		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) {
+-			put_msg("Invalid color definition at line %d: %s, setting to black (#00000).",
+-					line_no, line);
+-			r = g = b = 0;
+-		} else {
+-			put_msg("User color number at line %d out of range (%d), should be between %d and %d.",
++	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) {
++		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS &&
++				r >=0 && r < 256 && g >=0 && g < 256 &&
++				b >= 0 && b < 256 ) {
++			user_col_indx[num_usr_cols] = c;
++			user_colors[num_usr_cols].r = r;
++			user_colors[num_usr_cols].g = g;
++			user_colors[num_usr_cols].b = b;
++			++num_usr_cols;
++		} else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) {
++			put_msg("User color number at line %d out of range (%d)"
++					", should be between %d and %d.",
+ 					line_no, c, NUM_STD_COLS,
+ 					NUM_STD_COLS + MAX_USR_COLS - 1);
+-			return;
++		} else {
++			put_msg("Invalid color definition at line %d: %s, color"
++				       " values must be between 0 through 255.",
++								line_no, line);
+ 		}
++	} else {
++		put_msg("Invalid color definition at line %d: %s.",
++							line_no, line);
+ 	}
+-	user_col_indx[num_usr_cols] = c;
+-	user_colors[num_usr_cols].r = r;
+-	user_colors[num_usr_cols].g = g;
+-	user_colors[num_usr_cols].b = b;
+-	++num_usr_cols;
+ }
+ 
+ static void
diff -Nru fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch
--- fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,62 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed Dec 11 21:36:46 2019 +0100
+Bug: https://sourceforge.net/p/mcj/tickets/56/
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/c379fe50574e5b5dd6e17f15d8473c5713d1b823/
+Subject: Convert polygons with too few points to polylines
+    
+    As a side effect, this also fixes ticket #56.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -877,8 +877,10 @@ read_ellipseobject(char *line, int line_
+ /*
+  * Sanitize line objects. Return 0 on success, -1 otherwise.
+  * On error, call free_linestorage(l) after sanitize_lineobject().
++ *
+  * polylines: remove fill, if less than 3 points
+  *		remove arrows, if only one point
++ * polygons: convert to polyline if less than 3 unique points
+  * rectangles, polygons: last point must coincide with first point
+  * rectangle: convert to polygon, if not 5 points
+  * rectangle with rounded corners: error, if not 5 points
+@@ -939,6 +941,20 @@ sanitize_lineobject(
+ 	    q->y = l->points->y;
+ 	}
+ 
++	if (l->type == T_POLYGON) {
++		int	npts;
++
++		q = l->points;
++		for (npts = 1; q->next && npts < 4; q = q->next)
++			++npts;
++		if (npts < 4 ) {
++			put_msg("A polygon with %d points at line %d - convert to a polyline.",
++			npts, line_no);
++			l->type = T_POLYLINE;
++			return 0;
++		}
++	}
++
+ 	if (l->type == T_BOX || l->type == T_ARC_BOX || l->type == T_PIC_BOX) {
+ 	    int	npts = 1;
+ 	    for (q = l->points; q->next; q = q->next)
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -135,6 +135,17 @@ A single point with a backward arrow - r
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert short polygon to polyline, ticket #56])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L ptk <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0.0 0 0 -1 0 0 1
++	0 0
++EOF
++], 0, ignore, [A polygon with 1 points at line 11 - convert to a polyline.
++])
++AT_CLEANUP
++
+ AT_SETUP([reject negative font type])
+ AT_KEYWORDS(read.c font)
+ AT_CHECK([fig2dev -L box <<EOF
diff -Nru fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch
--- fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Fri Apr 23 22:31:27 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/114/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926673
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/
+Subject: Remove arrows from polygon with single point, ticket #114
+ When sanitizing line objects, a polygon consisting of too few points is
+ converted to a polyline. With this commit, the resulting polyline is
+ also sanitized, e.g, by removing arrow tips if the line consists only of
+ a single point.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -951,6 +951,7 @@ sanitize_lineobject(
+ 			put_msg("A polygon with %d points at line %d - convert to a polyline.",
+ 			npts, line_no);
+ 			l->type = T_POLYLINE;
++			sanitize_lineobject(l, p, line_no);
+ 			return 0;
+ 		}
+ 	}
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -121,7 +121,7 @@ EOF
+ ])
+ AT_CLEANUP
+ 
+-AT_SETUP([remove arrows tips from single point])
++AT_SETUP([remove arrow tips from single point])
+ AT_KEYWORDS(read.c polyline)
+ AT_CHECK([fig2dev -L pict2e <<EOF
+ FIG_FILE_TOP
+@@ -134,6 +134,19 @@ EOF
+ A single point with a backward arrow - remove the arrow.
+ ])
+ AT_CLEANUP
++
++AT_SETUP([remove arrow tips on polygon with single point])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
++	0 0 2. 120. 240.
++	0 0
++EOF
++],0,ignore,[A polygon with 1 points at line 12 - convert to a polyline.
++A single point with a backward arrow - remove the arrow.
++])
++AT_CLEANUP
+ 
+ AT_SETUP([convert short polygon to polyline, ticket #56])
+ AT_KEYWORDS(read.c polygon)
diff -Nru fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch
--- fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,71 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 10:29:59 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/113/
+Bug: https://sourceforge.net/p/mcj/tickets/117/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926674
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/
+Subject: Allow truncated sub/superscripts in text, #113, #117
+ For svg output, sub- and superscripts are indicated by the ^ and _
+ characters, respectively. A text string truncated right after these
+ characters caused buffer overflow. Fixes tickets #113 and #117.
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -969,7 +969,7 @@ gensvg_text(F_text *t)
+ #endif
+ 		for (cp = (unsigned char *) t->cstring; *cp; cp++) {
+ 			ch = *cp;
+-			if (( supsub == 2 &&ch == '}' ) || supsub==1) {
++			if ((supsub == 2 && ch == '}') || supsub==1) {
+ #ifdef NOSUPER
+ 				fprintf(tfp,"</tspan><tspan dy=\"%d\">",-dy);
+ 				old_dy=-dy;
+@@ -983,6 +983,8 @@ gensvg_text(F_text *t)
+ 				}
+ 			}
+ 			if (ch == '_' || ch == '^') {
++				if (*(cp + 1) == '\0')
++					break;
+ 				supsub=1;
+ #ifdef NOSUPER
+ 				if (dy != 0)
+@@ -1007,6 +1009,8 @@ gensvg_text(F_text *t)
+ 				++cp;
+ 				ch = *cp;
+ 				if (ch == '{' ) {
++					if (*(cp + 1) == '\0')
++						break;
+ 					supsub=2;
+ 					++cp;
+ 					ch = *cp;
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -155,6 +155,17 @@ AT_CHECK([SOURCE_DATE_EPOCH=1483564881 f
+ 	$srcdir/data/fillswclip.fig | diff - $srcdir/data/fillswclip.svg])
+ AT_CLEANUP
+ 
++AT_SETUP([truncated sub/superscript, tickets #113, #117])
++AT_KEYWORDS(read.c svg)
++AT_CHECK([fig2dev -L svg <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 0 6 110 376 0 0 ^
++4 2 0 0 1 0 0 0 6 110 376 0 200 ^{
++EOF
++], 0, ignore)
++AT_CLEANUP
++
+ 
+ AT_BANNER([Test tikz output language.])
+ 
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -136,7 +136,7 @@ A single point with a backward arrow - r
+ AT_CLEANUP
+ 
+ AT_SETUP([remove arrow tips on polygon with single point])
+-AT_KEYWORDS(read.c polygon)
++AT_KEYWORDS(read.c polygon svg)
+ AT_CHECK([fig2dev -L svg <<EOF
+ FIG_FILE_TOP
+ 2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
diff -Nru fig2dev-3.2.7a/debian/patches/48_arrow-point.patch fig2dev-3.2.7a/debian/patches/48_arrow-point.patch
--- fig2dev-3.2.7a/debian/patches/48_arrow-point.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/48_arrow-point.patch	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,54 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 23:04:36 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/115/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926676
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/
+Subject: Omit arrows without points in svg output, ticket #115
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -1145,7 +1145,7 @@ svg_arrows(int line_thickness, F_arrow *
+ 	return true;
+     }
+ 
+-    if (for_arrow) {
++    if (for_arrow && fnpoints > 1) {
+ 	fputs("<!-- Forward arrow", tfp);
+ 	arrow_path(for_arrow, forw2, pen_color, fnpoints, fpoints,
+ 		fnfillpoints, ffillpoints
+@@ -1154,7 +1154,7 @@ svg_arrows(int line_thickness, F_arrow *
+ #endif
+ 		);
+     }
+-    if (back_arrow) {
++    if (back_arrow && bnpoints > 1) {
+ 	fputs("<!-- Backward arrow", tfp);
+ 	arrow_path(back_arrow, back2, pen_color, bnpoints, bpoints,
+ 		bnfillpoints, bfillpoints
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -115,6 +115,7 @@ AT_CHECK([fig2dev -L pict2e -G0.2:1cm de
+ AT_CLEANUP
+ 
+ 
++
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+ AT_KEYWORDS(svg pattern creationdate)
+@@ -166,6 +167,16 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([omit arrows without points, ticket #115])
++AT_KEYWORDS(svg arrow)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++5 1 0 1 7 7 44 -1 6 0.000 0 1 1 1 50 -1 -1500 200 -1 7 50 -1  900 750 975
++	0 0 1.00 45.00 90.00
++	5 0 1.003 1426 1068 1426
++EOF], 0, ignore)
++AT_CLEANUP
++
+ 
+ AT_BANNER([Test tikz output language.])
+ 
diff -Nru fig2dev-3.2.7a/debian/patches/series fig2dev-3.2.7a/debian/patches/series
--- fig2dev-3.2.7a/debian/patches/series	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/series	2021-05-22 11:20:55.000000000 +0200
@@ -15,3 +15,8 @@
 41_CVE-2019-19555.patch
 42_CVE-2019-19746.patch
 43_fgets2getline.patch
+44_CVE-2021-3561.patch
+45_polygon2polyline.patch
+46_arroy-poly.patch
+47_trunc-subsuper.patch
+48_arrow-point.patch
diff -Nru fig2dev-3.2.7a/debian/rules fig2dev-3.2.7a/debian/rules
--- fig2dev-3.2.7a/debian/rules	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/rules	2021-05-22 11:20:55.000000000 +0200
@@ -21,6 +21,8 @@
 	fi
 
 	dh_auto_configure -- --enable-transfig
+# 	rebuild testsuite:
+	(cd fig2dev/tests; rm -f testsuite; make testsuite)
 
 override_dh_auto_build:
 	dh_auto_build
diff -Nru fig2dev-3.2.7a/debian/salsa-ci.yml fig2dev-3.2.7a/debian/salsa-ci.yml
--- fig2dev-3.2.7a/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/salsa-ci.yml	2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,7 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'buster'
diff -Nru fig2dev-3.2.7a/debian/tests/fig2dev-testsuite fig2dev-3.2.7a/debian/tests/fig2dev-testsuite
--- fig2dev-3.2.7a/debian/tests/fig2dev-testsuite	2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/tests/fig2dev-testsuite	2021-05-22 11:20:55.000000000 +0200
@@ -10,6 +10,9 @@
 dh_auto_configure >/dev/null 2>&1
 
 cd fig2dev/tests
+echo "Rebuild testsuite"
+rm -f testsuite
+make testsuite
 echo "Running check and installcheck" # (check builds check_PROGRAMS)
 make check installcheck

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: