--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package fig2dev/1:3.2.7a-5+deb10u4
- From: Roland Rosenfeld <roland@spinnaker.de>
- Date: Sat, 22 May 2021 11:47:47 +0200
- Message-id: <20210522094747.GA4779@dinghy.sail.spinnaker.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I prepared an update for fig2dev 1:3.2.7a-5+deb10u3 to deb10u4, which
in the first time fixes CVE-2021-3561 (the security team doesn't
intend to create a DSA but redirected me here).
Additionally it fixes four other buffer overflows, that are all fixed
upstream and I backported the fixes.
Last I added a mechanism, that rebuilds the testsuite (used at build
time as well as in autopkgtest) to activate the tests that are added
by the above patches.
The salsa pipeline succeeded on this:
https://salsa.debian.org/debian/fig2dev/-/pipelines/256545
A diff against 3.2.7a-5+deb10u3 is attached.
Greetings
Roland
-- System Information:
Debian Release: 10.9
APT prefers stable
APT policy: (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8), LANGUAGE=de_DE:de:en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru fig2dev-3.2.7a/debian/changelog fig2dev-3.2.7a/debian/changelog
--- fig2dev-3.2.7a/debian/changelog 2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/changelog 2021-05-22 11:20:55.000000000 +0200
@@ -1,3 +1,16 @@
+fig2dev (1:3.2.7a-5+deb10u4) buster; urgency=medium
+
+ * 44_CVE-2021-3561: Fix buffer overflow color definitions. This fixes
+ CVE-2021-3561.
+ * Rename gitlab.yml to salsa.yml to activate pipeline again.
+ * 45_polyline2polygon: Convert polygons having too few points to polylines.
+ * 46_arrow-poly: Remove arrows from polygon with single point.
+ * 47_trunc-subsuper: Allow truncated sub/superscripts in text.
+ * 48_arrow-point: Omit arrows without points in svg output.
+ * Rebuild testsuite during build and in autopkgtest.
+
+ -- Roland Rosenfeld <roland@debian.org> Sat, 22 May 2021 11:20:55 +0200
+
fig2dev (1:3.2.7a-5+deb10u3) buster; urgency=medium
* 42_CVE-2019-19746: Reject huge arrow types causing integer overflow.
diff -Nru fig2dev-3.2.7a/debian/gitlab-ci.yml fig2dev-3.2.7a/debian/gitlab-ci.yml
--- fig2dev-3.2.7a/debian/gitlab-ci.yml 2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
----
-include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-
-variables:
- RELEASE: 'buster'
diff -Nru fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch
--- fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/44_CVE-2021-3561.patch 2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun Apr 25 00:49:15 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/116/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926677
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/
+Subject: Sanitize color definitions, ticket #116 (CVE-2021-3561)
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -539,30 +539,37 @@ read_colordef(char *line, int line_no)
+
+ if (num_usr_cols >= MAX_USR_COLS) {
+ if (num_usr_cols == MAX_USR_COLS) {
+- put_msg("Maximum number of color definitions (%d) exceeded at line %d.",
++ put_msg("Maximum number of color definitions (%d) "
++ "exceeded at line %d.",
+ MAX_USR_COLS, line_no);
+ ++num_usr_cols;
+ }
+ /* ignore additional colors */
+ return;
+ }
+- if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) {
+- if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) {
+- put_msg("Invalid color definition at line %d: %s, setting to black (#00000).",
+- line_no, line);
+- r = g = b = 0;
+- } else {
+- put_msg("User color number at line %d out of range (%d), should be between %d and %d.",
++ if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) {
++ if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS &&
++ r >=0 && r < 256 && g >=0 && g < 256 &&
++ b >= 0 && b < 256 ) {
++ user_col_indx[num_usr_cols] = c;
++ user_colors[num_usr_cols].r = r;
++ user_colors[num_usr_cols].g = g;
++ user_colors[num_usr_cols].b = b;
++ ++num_usr_cols;
++ } else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) {
++ put_msg("User color number at line %d out of range (%d)"
++ ", should be between %d and %d.",
+ line_no, c, NUM_STD_COLS,
+ NUM_STD_COLS + MAX_USR_COLS - 1);
+- return;
++ } else {
++ put_msg("Invalid color definition at line %d: %s, color"
++ " values must be between 0 through 255.",
++ line_no, line);
+ }
++ } else {
++ put_msg("Invalid color definition at line %d: %s.",
++ line_no, line);
+ }
+- user_col_indx[num_usr_cols] = c;
+- user_colors[num_usr_cols].r = r;
+- user_colors[num_usr_cols].g = g;
+- user_colors[num_usr_cols].b = b;
+- ++num_usr_cols;
+ }
+
+ static void
diff -Nru fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch
--- fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/45_polygon2polyline.patch 2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,62 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed Dec 11 21:36:46 2019 +0100
+Bug: https://sourceforge.net/p/mcj/tickets/56/
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/c379fe50574e5b5dd6e17f15d8473c5713d1b823/
+Subject: Convert polygons with too few points to polylines
+
+ As a side effect, this also fixes ticket #56.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -877,8 +877,10 @@ read_ellipseobject(char *line, int line_
+ /*
+ * Sanitize line objects. Return 0 on success, -1 otherwise.
+ * On error, call free_linestorage(l) after sanitize_lineobject().
++ *
+ * polylines: remove fill, if less than 3 points
+ * remove arrows, if only one point
++ * polygons: convert to polyline if less than 3 unique points
+ * rectangles, polygons: last point must coincide with first point
+ * rectangle: convert to polygon, if not 5 points
+ * rectangle with rounded corners: error, if not 5 points
+@@ -939,6 +941,20 @@ sanitize_lineobject(
+ q->y = l->points->y;
+ }
+
++ if (l->type == T_POLYGON) {
++ int npts;
++
++ q = l->points;
++ for (npts = 1; q->next && npts < 4; q = q->next)
++ ++npts;
++ if (npts < 4 ) {
++ put_msg("A polygon with %d points at line %d - convert to a polyline.",
++ npts, line_no);
++ l->type = T_POLYLINE;
++ return 0;
++ }
++ }
++
+ if (l->type == T_BOX || l->type == T_ARC_BOX || l->type == T_PIC_BOX) {
+ int npts = 1;
+ for (q = l->points; q->next; q = q->next)
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -135,6 +135,17 @@ A single point with a backward arrow - r
+ ])
+ AT_CLEANUP
+
++AT_SETUP([convert short polygon to polyline, ticket #56])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L ptk <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0.0 0 0 -1 0 0 1
++ 0 0
++EOF
++], 0, ignore, [A polygon with 1 points at line 11 - convert to a polyline.
++])
++AT_CLEANUP
++
+ AT_SETUP([reject negative font type])
+ AT_KEYWORDS(read.c font)
+ AT_CHECK([fig2dev -L box <<EOF
diff -Nru fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch
--- fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/46_arroy-poly.patch 2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Fri Apr 23 22:31:27 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/114/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926673
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/
+Subject: Remove arrows from polygon with single point, ticket #114
+ When sanitizing line objects, a polygon consisting of too few points is
+ converted to a polyline. With this commit, the resulting polyline is
+ also sanitized, e.g, by removing arrow tips if the line consists only of
+ a single point.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,7 +3,7 @@
+ * Copyright (c) 1991 by Micah Beck
+ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+ *
+ * Any party obtaining a copy of these files is granted, free of charge, a
+ * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -951,6 +951,7 @@ sanitize_lineobject(
+ put_msg("A polygon with %d points at line %d - convert to a polyline.",
+ npts, line_no);
+ l->type = T_POLYLINE;
++ sanitize_lineobject(l, p, line_no);
+ return 0;
+ }
+ }
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -121,7 +121,7 @@ EOF
+ ])
+ AT_CLEANUP
+
+-AT_SETUP([remove arrows tips from single point])
++AT_SETUP([remove arrow tips from single point])
+ AT_KEYWORDS(read.c polyline)
+ AT_CHECK([fig2dev -L pict2e <<EOF
+ FIG_FILE_TOP
+@@ -134,6 +134,19 @@ EOF
+ A single point with a backward arrow - remove the arrow.
+ ])
+ AT_CLEANUP
++
++AT_SETUP([remove arrow tips on polygon with single point])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
++ 0 0 2. 120. 240.
++ 0 0
++EOF
++],0,ignore,[A polygon with 1 points at line 12 - convert to a polyline.
++A single point with a backward arrow - remove the arrow.
++])
++AT_CLEANUP
+
+ AT_SETUP([convert short polygon to polyline, ticket #56])
+ AT_KEYWORDS(read.c polygon)
diff -Nru fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch
--- fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/47_trunc-subsuper.patch 2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,71 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 10:29:59 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/113/
+Bug: https://sourceforge.net/p/mcj/tickets/117/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926674
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/
+Subject: Allow truncated sub/superscripts in text, #113, #117
+ For svg output, sub- and superscripts are indicated by the ^ and _
+ characters, respectively. A text string truncated right after these
+ characters caused buffer overflow. Fixes tickets #113 and #117.
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -969,7 +969,7 @@ gensvg_text(F_text *t)
+ #endif
+ for (cp = (unsigned char *) t->cstring; *cp; cp++) {
+ ch = *cp;
+- if (( supsub == 2 &&ch == '}' ) || supsub==1) {
++ if ((supsub == 2 && ch == '}') || supsub==1) {
+ #ifdef NOSUPER
+ fprintf(tfp,"</tspan><tspan dy=\"%d\">",-dy);
+ old_dy=-dy;
+@@ -983,6 +983,8 @@ gensvg_text(F_text *t)
+ }
+ }
+ if (ch == '_' || ch == '^') {
++ if (*(cp + 1) == '\0')
++ break;
+ supsub=1;
+ #ifdef NOSUPER
+ if (dy != 0)
+@@ -1007,6 +1009,8 @@ gensvg_text(F_text *t)
+ ++cp;
+ ch = *cp;
+ if (ch == '{' ) {
++ if (*(cp + 1) == '\0')
++ break;
+ supsub=2;
+ ++cp;
+ ch = *cp;
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -155,6 +155,17 @@ AT_CHECK([SOURCE_DATE_EPOCH=1483564881 f
+ $srcdir/data/fillswclip.fig | diff - $srcdir/data/fillswclip.svg])
+ AT_CLEANUP
+
++AT_SETUP([truncated sub/superscript, tickets #113, #117])
++AT_KEYWORDS(read.c svg)
++AT_CHECK([fig2dev -L svg <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 0 6 110 376 0 0 ^
++4 2 0 0 1 0 0 0 6 110 376 0 200 ^{
++EOF
++], 0, ignore)
++AT_CLEANUP
++
+
+ AT_BANNER([Test tikz output language.])
+
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -136,7 +136,7 @@ A single point with a backward arrow - r
+ AT_CLEANUP
+
+ AT_SETUP([remove arrow tips on polygon with single point])
+-AT_KEYWORDS(read.c polygon)
++AT_KEYWORDS(read.c polygon svg)
+ AT_CHECK([fig2dev -L svg <<EOF
+ FIG_FILE_TOP
+ 2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
diff -Nru fig2dev-3.2.7a/debian/patches/48_arrow-point.patch fig2dev-3.2.7a/debian/patches/48_arrow-point.patch
--- fig2dev-3.2.7a/debian/patches/48_arrow-point.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/48_arrow-point.patch 2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,54 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 23:04:36 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/115/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926676
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/
+Subject: Omit arrows without points in svg output, ticket #115
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -1145,7 +1145,7 @@ svg_arrows(int line_thickness, F_arrow *
+ return true;
+ }
+
+- if (for_arrow) {
++ if (for_arrow && fnpoints > 1) {
+ fputs("<!-- Forward arrow", tfp);
+ arrow_path(for_arrow, forw2, pen_color, fnpoints, fpoints,
+ fnfillpoints, ffillpoints
+@@ -1154,7 +1154,7 @@ svg_arrows(int line_thickness, F_arrow *
+ #endif
+ );
+ }
+- if (back_arrow) {
++ if (back_arrow && bnpoints > 1) {
+ fputs("<!-- Backward arrow", tfp);
+ arrow_path(back_arrow, back2, pen_color, bnpoints, bpoints,
+ bnfillpoints, bfillpoints
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -115,6 +115,7 @@ AT_CHECK([fig2dev -L pict2e -G0.2:1cm de
+ AT_CLEANUP
+
+
++
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+ AT_KEYWORDS(svg pattern creationdate)
+@@ -166,6 +167,16 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+
++AT_SETUP([omit arrows without points, ticket #115])
++AT_KEYWORDS(svg arrow)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++5 1 0 1 7 7 44 -1 6 0.000 0 1 1 1 50 -1 -1500 200 -1 7 50 -1 900 750 975
++ 0 0 1.00 45.00 90.00
++ 5 0 1.003 1426 1068 1426
++EOF], 0, ignore)
++AT_CLEANUP
++
+
+ AT_BANNER([Test tikz output language.])
+
diff -Nru fig2dev-3.2.7a/debian/patches/series fig2dev-3.2.7a/debian/patches/series
--- fig2dev-3.2.7a/debian/patches/series 2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/patches/series 2021-05-22 11:20:55.000000000 +0200
@@ -15,3 +15,8 @@
41_CVE-2019-19555.patch
42_CVE-2019-19746.patch
43_fgets2getline.patch
+44_CVE-2021-3561.patch
+45_polygon2polyline.patch
+46_arroy-poly.patch
+47_trunc-subsuper.patch
+48_arrow-point.patch
diff -Nru fig2dev-3.2.7a/debian/rules fig2dev-3.2.7a/debian/rules
--- fig2dev-3.2.7a/debian/rules 2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/rules 2021-05-22 11:20:55.000000000 +0200
@@ -21,6 +21,8 @@
fi
dh_auto_configure -- --enable-transfig
+# rebuild testsuite:
+ (cd fig2dev/tests; rm -f testsuite; make testsuite)
override_dh_auto_build:
dh_auto_build
diff -Nru fig2dev-3.2.7a/debian/salsa-ci.yml fig2dev-3.2.7a/debian/salsa-ci.yml
--- fig2dev-3.2.7a/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.7a/debian/salsa-ci.yml 2021-05-22 11:20:55.000000000 +0200
@@ -0,0 +1,7 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'buster'
diff -Nru fig2dev-3.2.7a/debian/tests/fig2dev-testsuite fig2dev-3.2.7a/debian/tests/fig2dev-testsuite
--- fig2dev-3.2.7a/debian/tests/fig2dev-testsuite 2020-01-07 19:53:09.000000000 +0100
+++ fig2dev-3.2.7a/debian/tests/fig2dev-testsuite 2021-05-22 11:20:55.000000000 +0200
@@ -10,6 +10,9 @@
dh_auto_configure >/dev/null 2>&1
cd fig2dev/tests
+echo "Rebuild testsuite"
+rm -f testsuite
+make testsuite
echo "Running check and installcheck" # (check builds check_PROGRAMS)
make check installcheck
--- End Message ---