[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1018162: marked as done (bullseye-pu: package fig2dev/1:3.2.8-3+deb11u1)

Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1018162,
regarding bullseye-pu: package fig2dev/1:3.2.8-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1018162: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018162
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

I prepared an update for fig2dev 1:3.2.8-3 to deb11u1, which fixes
CVE-2021-37529 and CVE-2021-37530.

Additionally it fixes an annoying bug that breaks EPS import (this bug
was a typo with x and y).

Last I added a mechanism, that rebuilds the testsuite (used at build
time as well as in autopkgtest) to activate the tests that are added
by the above patches.

The salsa pipeline succeeded on this (except reprotest and crossbuild):
https://salsa.debian.org/debian/fig2dev/-/pipelines/415604

[ Risks ]
The patches are backported from upstream code and not too complex.
The CVE patches come with test cases, that check their correctness.
The eps import patch is trivial to check (only one char was wrong).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

A diff against 3.2.8-3 (bullseye) is attached.

Greetings
Roland

diff --git a/debian/changelog b/debian/changelog
index 8954565..a1bcec3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+fig2dev (1:3.2.8-3+deb11u1) bullseye; urgency=medium
+
+  * Rebuild testsuite during build and in autopkgtest.
+  * 34_epsimport: Stop misplacement of embedded eps images.
+  * Adapt salsa CI pipeline to bullseye release.
+  * 35_CVE-2021-37529: Allow long names for non-existing images.
+  * 36_CVE-2021-37530: Avoid a segfault for non-existing image names.
+
+ -- Roland Rosenfeld <roland@debian.org>  Fri, 26 Aug 2022 12:30:59 +0200
+
 fig2dev (1:3.2.8-3) unstable; urgency=medium
 
   * 30_arrow-poly: Remove arrows from polygon with single point.
diff --git a/debian/patches/34_epsimport.patch b/debian/patches/34_epsimport.patch
new file mode 100644
index 0000000..84426b4
--- /dev/null
+++ b/debian/patches/34_epsimport.patch
@@ -0,0 +1,18 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 28 Sep 2021 21:58:41 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/137/
+Origin: https://sourceforge.net/p/mcj/fig2dev/ci/1b09a885a8f0309bf1170ddcf07673801c79f895/
+Applied-Upstream: commit:1b09a885a8f0309bf1170ddcf07673801c79f895
+Subject: [PATCH] Correct a typo causing incorrect eps import, #137
+
+--- a/fig2dev/dev/readeps.c
++++ b/fig2dev/dev/readeps.c
+@@ -345,7 +345,7 @@ read_eps(F_pic *pic, struct xfig_stream
+ 				}
+ 				*llx = floor(rllx);
+ 				*lly = floor(rlly);
+-				pic->bit_size.x = (int)(rurx - rlly);
++				pic->bit_size.x = (int)(rurx - rllx);
+ 				pic->bit_size.y = (int)(rury - rlly);
+ 				break;
+ 			}
diff --git a/debian/patches/35_CVE-2021-37529.patch b/debian/patches/35_CVE-2021-37529.patch
new file mode 100644
index 0000000..3e977f4
--- /dev/null
+++ b/debian/patches/35_CVE-2021-37529.patch
@@ -0,0 +1,68 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue Jul 20 00:23:47 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/125/
+Origin: https://sourceforge.net/p/mcj/fig2dev/ci/899ea1277387ca9e9853bf61d29b7419d5692691
+Subject: Allow long names for non-existing images, #125
+ This fixes CVE-2021-37529
+    
+    On freeing the memory for the long file names, a double free() happened,
+    see ticket #125.
+    
+    In addition, do not allocate twice to the same pointer (*found), thus
+    leaking memory.
+
+--- a/fig2dev/dev/readpics.c
++++ b/fig2dev/dev/readpics.c
+@@ -55,13 +55,19 @@ free_stream(struct xfig_stream *restrict
+ 			err_msg("Cannot remove temporary file %s",
+ 					xf_stream->content);
+ 		}
+-		if (xf_stream->content != xf_stream->content_buf)
++		if (xf_stream->content != xf_stream->content_buf) {
+ 			free(xf_stream->content);
++			xf_stream->content = xf_stream->content_buf;
++		}
+ 	}
+-	if (xf_stream->name != xf_stream->name_buf)
++	if (xf_stream->name != xf_stream->name_buf) {
+ 		free(xf_stream->name);
+-	if (xf_stream->name_on_disk != xf_stream->name_on_disk_buf)
++		xf_stream->name = xf_stream->name_buf;
++	}
++	if (xf_stream->name_on_disk != xf_stream->name_on_disk_buf) {
+ 		free(xf_stream->name_on_disk);
++		xf_stream->name_on_disk = xf_stream->name_on_disk_buf;
++	}
+ }
+ 
+ /*
+@@ -124,8 +130,9 @@ file_on_disk(char *restrict name, char *
+ 	if (stat(name, &status)) {
+ 		/* File not found. Now try, whether a file with one of
+ 		   the known suffices appended exists. */
+-		if (len < name_len + FILEONDISK_ADD && (*found =
+-				malloc(name_len + FILEONDISK_ADD)) == NULL) {
++		if (len > name_len && len < name_len + FILEONDISK_ADD &&
++				(*found = malloc(name_len + FILEONDISK_ADD))
++				== NULL) {
+ 			put_msg(Err_mem);
+ 			return -1;
+ 		}
+--- a/fig2dev/tests/input.at
++++ b/fig2dev/tests/input.at
+@@ -137,4 +137,15 @@ AT_CHECK([$SED "11 s%line%$abs_srcdir/da
+ ],0,ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([long image name, non-existing file, ticket #125])
++AT_KEYWORDS(readpics)
++AT_CHECK([fig2dev -Leps <<EOF
++FIG_FILE_TOP
++2 5 0 1 0 -1 50 -1 -1 0.0 0 0 -1 0 0 5
++	0 use a file name that does not exist and is at least 128 characters long - this triggered a bug whereupon the string buffer was freed two times
++	 0 0 100 0 100 60 0 60 0 0
++EOF
++],0,ignore,ignore)
++AT_CLEANUP
++
+ m4_undefine([NO_GZIP])
diff --git a/debian/patches/36_CVE-2021-37530.patch b/debian/patches/36_CVE-2021-37530.patch
new file mode 100644
index 0000000..960de31
--- /dev/null
+++ b/debian/patches/36_CVE-2021-37530.patch
@@ -0,0 +1,40 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue Jul 20 00:36:12 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/126/
+Origin: https://sourceforge.net/p/mcj/fig2dev/ci/ff103511e49c44c83fc58e2092aa37e9019a3a9f/
+Subject: Avoid a segfault for non-existing image names, #126
+ This fixes CVE-2021-37530
+    
+    Before this commit, a name with a compression suffix, referring to a
+    non-existing image file, would cause a segfault.
+
+--- a/fig2dev/dev/readpics.c
++++ b/fig2dev/dev/readpics.c
+@@ -219,7 +219,7 @@ open_stream(char *restrict name, struct
+ 		return NULL;
+ 	}
+ 
+-	if (*xf_stream->uncompress) {
++	if (xf_stream->uncompress && *xf_stream->uncompress) {
+ 		/* a compressed file */
+ 		char	command_buf[256];
+ 		char	*command = command_buf;
+--- a/fig2dev/tests/input.at
++++ b/fig2dev/tests/input.at
+@@ -148,4 +148,16 @@ EOF
+ ],0,ignore,ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([non-existing file with suffix (.Z), ticket #126])
++AT_KEYWORDS(readpics)
++AT_CHECK([fig2dev -Leps <<EOF
++FIG_FILE_TOP
++2 5 0 1 0 -1 50 -1 -1 0.0 0 0 -1 0 0 5
++	0 non-existing.Z
++	 0 0 100 0 100 60 0 60 0 0
++EOF
++],0,ignore,[No such picture file: non-existing.Z
++])
++AT_CLEANUP
++
+ m4_undefine([NO_GZIP])
diff --git a/debian/patches/series b/debian/patches/series
index 0ab760a..bb740cf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,6 @@
 31_trunc-subsuper.patch
 32_arrow-point.patch
 33_sanitize-color.patch
+34_epsimport.patch
+35_CVE-2021-37529.patch
+36_CVE-2021-37530.patch
diff --git a/debian/rules b/debian/rules
index 95f1756..6f1ddc1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -29,7 +29,11 @@ override_dh_auto_build:
 #	preserve some files from upstream tarball:
 	tar cf debian/preserve.tar fig2dev/config.vc \
 		fig2dev/tests/data/fillswclip.svg \
-		fig2dev/tests/data/patterns.svg transfig/doc/manual.pdf
+		fig2dev/tests/data/patterns.svg transfig/doc/manual.pdf \
+		fig2dev/tests/testsuite
+
+# 	rebuild testsuite:
+	(cd fig2dev/tests; rm -f testsuite; make testsuite)
 
 	dh_auto_build
 
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 892f3cd..4e57130 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,3 +1,6 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'
diff --git a/debian/tests/fig2dev-testsuite b/debian/tests/fig2dev-testsuite
index 8998617..be31ef2 100755
--- a/debian/tests/fig2dev-testsuite
+++ b/debian/tests/fig2dev-testsuite
@@ -10,6 +10,11 @@ echo "Running dh_auto_configure"
 dh_auto_configure 2>&1
 
 cd fig2dev/tests
+
+echo "Rebuild testsuite"
+rm -f testsuite
+make testsuite
+
 echo "Building required test programs"
 make check 2>&1 || true

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---
Reply to: