Bug#987894: unblock: fig2dev/1:3.2.8-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package fig2dev
This new version consists of four small security related patches
provided by upstream author, that fix some buffer overflows and null
pointer.
I hoped, that the package would be migrated after 20 day, but just
noted, that it is blocked because it is a key package (according to
popcon), so please unblock the migration before the release.
A diff from 3.2.8-2 is attached.
Greetings
Roland
unblock fig2dev/1:3.2.8-3
diff -Nru fig2dev-3.2.8/debian/changelog fig2dev-3.2.8/debian/changelog
--- fig2dev-3.2.8/debian/changelog 2021-02-06 12:59:35.000000000 +0100
+++ fig2dev-3.2.8/debian/changelog 2021-04-30 11:28:30.000000000 +0200
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.8-3) unstable; urgency=medium
+
+ * 30_arrow-poly: Remove arrows from polygon with single point.
+ * 31_trunc-subsuper: Allow truncated sub/superscripts in text.
+ * 32_arrow-point: Omit arrows without points in svg output.
+ * 33_sanitize-color: Sanitize color definitions.
+
+ -- Roland Rosenfeld <roland@debian.org> Fri, 30 Apr 2021 11:28:30 +0200
+
fig2dev (1:3.2.8-2) unstable; urgency=medium
[ Helmut Grohne ]
diff -Nru fig2dev-3.2.8/debian/patches/30_arrow-poly.patch fig2dev-3.2.8/debian/patches/30_arrow-poly.patch
--- fig2dev-3.2.8/debian/patches/30_arrow-poly.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/30_arrow-poly.patch 2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,70 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Fri Apr 23 22:31:27 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/114/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926673
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/
+Subject: Remove arrows from polygon with single point, ticket #114
+ When sanitizing line objects, a polygon consisting of too few points is
+ converted to a polyline. With this commit, the resulting polyline is
+ also sanitized, e.g, by removing arrow tips if the line consists only of
+ a single point.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,7 +3,7 @@
+ * Copyright (c) 1991 by Micah Beck
+ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+ *
+ * Any party obtaining a copy of these files is granted, free of charge, a
+ * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -936,6 +936,7 @@ sanitize_lineobject(
+ put_msg("A polygon with %d points at line %d - convert to a polyline.",
+ npts, line_no);
+ l->type = T_POLYLINE;
++ sanitize_lineobject(l, p, line_no);
+ return 0;
+ }
+ }
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2020 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2021 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -121,7 +121,7 @@ EOF
+ ])
+ AT_CLEANUP
+
+-AT_SETUP([remove arrows tips from single point])
++AT_SETUP([remove arrow tips from single point])
+ AT_KEYWORDS(read.c polyline)
+ AT_CHECK([fig2dev -L pict2e <<EOF
+ FIG_FILE_TOP
+@@ -134,6 +134,19 @@ EOF
+ A single point with a backward arrow - remove the arrow.
+ ])
+ AT_CLEANUP
++
++AT_SETUP([remove arrow tips on polygon with single point])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
++ 0 0 2. 120. 240.
++ 0 0
++EOF
++],0,ignore,[A polygon with 1 points at line 12 - convert to a polyline.
++A single point with a backward arrow - remove the arrow.
++])
++AT_CLEANUP
+
+ AT_SETUP([reject huge arrow-type, ticket #57])
+ AT_KEYWORDS(arrow.c arrow)
diff -Nru fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch
--- fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch 2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,80 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 10:29:59 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/113/
+Bug: https://sourceforge.net/p/mcj/tickets/117/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926674
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/
+Subject: Allow truncated sub/superscripts in text, #113, #117
+ For svg output, sub- and superscripts are indicated by the ^ and _
+ characters, respectively. A text string truncated right after these
+ characters caused buffer overflow. Fixes tickets #113 and #117.
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -3,7 +3,7 @@
+ * Parts Copyright (c) 2002 by Anthony Starks
+ * Parts Copyright (c) 2002-2006 by Martin Kroeker
+ * Parts Copyright (c) 2002-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+ *
+ * Any party obtaining a copy of these files is granted, free of charge, a
+ * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -1005,7 +1005,7 @@ gensvg_text(F_text *t)
+ #endif
+ for (cp = (unsigned char *)t->cstring; *cp; cp++) {
+ ch = *cp;
+- if (( supsub == 2 &&ch == '}' ) || supsub==1) {
++ if ((supsub == 2 && ch == '}') || supsub==1) {
+ #ifdef NOSUPER
+ fprintf(tfp,"</tspan><tspan dy=\"%d\">",-dy);
+ old_dy=-dy;
+@@ -1019,6 +1019,8 @@ gensvg_text(F_text *t)
+ }
+ }
+ if (ch == '_' || ch == '^') {
++ if (*(cp + 1) == '\0')
++ break;
+ supsub=1;
+ #ifdef NOSUPER
+ if (dy != 0)
+@@ -1043,6 +1045,8 @@ gensvg_text(F_text *t)
+ ++cp;
+ ch = *cp;
+ if (ch == '{' ) {
++ if (*(cp + 1) == '\0')
++ break;
+ supsub=2;
+ ++cp;
+ ch = *cp;
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -231,6 +231,17 @@ AT_CHECK([SOURCE_DATE_EPOCH=1483564881 f
+ - $builddir/data/fillswclip.svg])
+ AT_CLEANUP
+
++AT_SETUP([truncated sub/superscript, tickets #113, #117])
++AT_KEYWORDS(read.c svg)
++AT_CHECK([fig2dev -L svg <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 0 6 110 376 0 0 ^
++4 2 0 0 1 0 0 0 6 110 376 0 200 ^{
++EOF
++], 0, ignore)
++AT_CLEANUP
++
+
+ AT_BANNER([Test tikz output language.])
+
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -136,7 +136,7 @@ A single point with a backward arrow - r
+ AT_CLEANUP
+
+ AT_SETUP([remove arrow tips on polygon with single point])
+-AT_KEYWORDS(read.c polygon)
++AT_KEYWORDS(read.c polygon svg)
+ AT_CHECK([fig2dev -L svg <<EOF
+ FIG_FILE_TOP
+ 2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
diff -Nru fig2dev-3.2.8/debian/patches/32_arrow-point.patch fig2dev-3.2.8/debian/patches/32_arrow-point.patch
--- fig2dev-3.2.8/debian/patches/32_arrow-point.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/32_arrow-point.patch 2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,63 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat Apr 24 23:04:36 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/115/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926676
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/
+Subject: Omit arrows without points in svg output, ticket #115
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -1173,7 +1173,7 @@ svg_arrows(int line_thickness, F_arrow *
+ return true;
+ }
+
+- if (for_arrow) {
++ if (for_arrow && fnpoints > 1) {
+ fputs("<!-- Forward arrow", tfp);
+ arrow_path(for_arrow, forw2, pen_color, fnpoints, fpoints,
+ fnfillpoints, ffillpoints
+@@ -1182,7 +1182,7 @@ svg_arrows(int line_thickness, F_arrow *
+ #endif
+ );
+ }
+- if (back_arrow) {
++ if (back_arrow && bnpoints > 1) {
+ fputs("<!-- Backward arrow", tfp);
+ arrow_path(back_arrow, back2, pen_color, bnpoints, bpoints,
+ bnfillpoints, bfillpoints
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2020 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2021 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -184,6 +184,7 @@ FIG_FILE_TOP
+ EOF], 0, ignore)
+ AT_CLEANUP
+
++
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+ AT_KEYWORDS(svg pattern creationdate)
+@@ -242,6 +243,16 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+
++AT_SETUP([omit arrows without points, ticket #115])
++AT_KEYWORDS(svg arrow)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++5 1 0 1 7 7 44 -1 6 0.000 0 1 1 1 50 -1 -1500 200 -1 7 50 -1 900 750 975
++ 0 0 1.00 45.00 90.00
++ 5 0 1.003 1426 1068 1426
++EOF], 0, ignore)
++AT_CLEANUP
++
+
+ AT_BANNER([Test tikz output language.])
+
diff -Nru fig2dev-3.2.8/debian/patches/33_sanitize-color.patch fig2dev-3.2.8/debian/patches/33_sanitize-color.patch
--- fig2dev-3.2.8/debian/patches/33_sanitize-color.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/33_sanitize-color.patch 2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun Apr 25 00:49:15 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/116/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926677
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/
+Subject: Sanitize color definitions, ticket #116
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -520,30 +520,37 @@ read_colordef(char *line, int line_no)
+
+ if (num_usr_cols >= MAX_USR_COLS) {
+ if (num_usr_cols == MAX_USR_COLS) {
+- put_msg("Maximum number of color definitions (%d) exceeded at line %d.",
++ put_msg("Maximum number of color definitions (%d) "
++ "exceeded at line %d.",
+ MAX_USR_COLS, line_no);
+ ++num_usr_cols;
+ }
+ /* ignore additional colors */
+ return;
+ }
+- if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) {
+- if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) {
+- put_msg("Invalid color definition at line %d: %s, setting to black (#00000).",
+- line_no, line);
+- r = g = b = 0;
+- } else {
+- put_msg("User color number at line %d out of range (%d), should be between %d and %d.",
++ if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) {
++ if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS &&
++ r >=0 && r < 256 && g >=0 && g < 256 &&
++ b >= 0 && b < 256 ) {
++ user_col_indx[num_usr_cols] = c;
++ user_colors[num_usr_cols].r = r;
++ user_colors[num_usr_cols].g = g;
++ user_colors[num_usr_cols].b = b;
++ ++num_usr_cols;
++ } else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) {
++ put_msg("User color number at line %d out of range (%d)"
++ ", should be between %d and %d.",
+ line_no, c, NUM_STD_COLS,
+ NUM_STD_COLS + MAX_USR_COLS - 1);
+- return;
++ } else {
++ put_msg("Invalid color definition at line %d: %s, color"
++ " values must be between 0 through 255.",
++ line_no, line);
+ }
++ } else {
++ put_msg("Invalid color definition at line %d: %s.",
++ line_no, line);
+ }
+- user_col_indx[num_usr_cols] = c;
+- user_colors[num_usr_cols].r = r;
+- user_colors[num_usr_cols].g = g;
+- user_colors[num_usr_cols].b = b;
+- ++num_usr_cols;
+ }
+
+ static void
diff -Nru fig2dev-3.2.8/debian/patches/series fig2dev-3.2.8/debian/patches/series
--- fig2dev-3.2.8/debian/patches/series 2021-02-06 12:59:35.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/series 2021-04-30 11:28:30.000000000 +0200
@@ -2,3 +2,7 @@
15_fig2mpdf-doc.patch
28_fix_fig2dev_chmod.patch
29_RGBFILE.patch
+30_arrow-poly.patch
+31_trunc-subsuper.patch
+32_arrow-point.patch
+33_sanitize-color.patch
Reply to: