Bug#1104154: bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u2

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 1104154@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Bug#1104154: bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u2
From: Roland Rosenfeld <roland@debian.org>
Date: Mon, 5 May 2025 20:15:42 +0200
Message-id: <[🔎] aBkATt2VXJHj9oA0@dinghy.sail.spinnaker.de>
Reply-to: Roland Rosenfeld <roland@debian.org>, 1104154@bugs.debian.org
In-reply-to: <aBKBfY_x7va8wmmT@eldamar.lan>
References: <aAyFUFWkvscmwC0Z@dinghy.sail.spinnaker.de> <aBKBfY_x7va8wmmT@eldamar.lan> <aAyFUFWkvscmwC0Z@dinghy.sail.spinnaker.de>

Hi Salvatore!

On Wed, 30 Apr 2025, Salvatore Bonaccorso wrote:

> FWIW, the CVEs have been rejected in meanwhile as there is no real
> security impact. I think still it is worth you might upload your
> package for the upcoming point release, but please drop the CVE id
> mentionings.

Okay, I renamed the patches to their names from sid/trixie and removed
the CVE references from the patches and from debian/changelog.

An updated debdiff is attached.
The updated salsa pipeline is at
https://salsa.debian.org/debian/fig2dev/-/pipelines/861650

Everything else didn't change since the initial bugreport.
A diff against the initial bug report can be found in
https://salsa.debian.org/debian/fig2dev/-/commit/792b63860a7e4bdc6199da9e049cc617512c44b9

Greetings
Roland

diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog
--- fig2dev-3.2.8b/debian/changelog	2025-03-28 22:51:19.000000000 +0100
+++ fig2dev-3.2.8b/debian/changelog	2025-05-05 20:01:51.000000000 +0200
@@ -1,3 +1,13 @@
+fig2dev (1:3.2.8b-3+deb12u2) bookworm; urgency=medium
+
+  * Fix the following seg-faults/stack-overflows:
+  * 41_nan-spline: Detect nan in spline control values.
+  * 42_zero2ndline: Permit \0 in 2nd line in fig file.
+  * 43_ge-spline: ge output: correct spline computation.
+  * 44_arcradius3: Reject arcs with a radius smaller than 3.
+
+ -- Roland Rosenfeld <roland@debian.org>  Mon, 05 May 2025 20:01:51 +0200
+
 fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium
 
   * 38_CVE-2025-31162: Reject huge pattern lengths.
diff -Nru fig2dev-3.2.8b/debian/patches/41_nan-spline.patch fig2dev-3.2.8b/debian/patches/41_nan-spline.patch
--- fig2dev-3.2.8b/debian/patches/41_nan-spline.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/41_nan-spline.patch	2025-05-05 20:01:51.000000000 +0200
@@ -0,0 +1,51 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Thu, 10 Apr 2025 09:03:30 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b66
+Bug: https://sourceforge.net/p/mcj/tickets/192/
+Forwarded: not-needed
+Subject: Detect nan in spline control values, ticket #192
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1469,8 +1469,11 @@ read_splineobject(FILE *fp, char **restr
+ 		free_splinestorage(s);
+ 		return NULL;
+ 	    }
+-	    if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
+-		rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
++	    if (	!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
++			!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
++			!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
++			!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
++	    {
+ 		    /* do not care to clean up, we exit anyway
+ 		       cp->next = NULL;
+ 		       free_splinestorage(s);	*/
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -581,6 +581,25 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject nan in spline controls values, #192])
++AT_KEYWORDS([read.c])
++# Use an output language that does not natively support Bezier splines.
++# Otherwise, the huge values are simply copied to the output.
++AT_CHECK([fig2dev -L epic <<EOF
++#FIG 3.1
++Landscape
++Center
++Metric
++1200 2
++3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
++	 0 0 1200 0
++	 600 600 600 nan
++	 600 600 600 600
++EOF
++], 1, ignore, [Spline control points out of range at line 8.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
diff -Nru fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch
--- fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch	2025-05-05 20:01:51.000000000 +0200
@@ -0,0 +1,19 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 8 Apr 2025 21:34:23 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/5f22009
+Bug: https://sourceforge.net/p/mcj/tickets/191/
+Forwarded: not-needed
+Subject: Permit \0 in the second line in the fig file, #191
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -181,7 +181,8 @@ read_objects(FILE *fp, F_compound *obj)
+ 	}
+ 
+ 	/* check for embedded '\0' */
+-	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++	if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 &&
++			buf[strlen(buf) - 1] != '\n')) {
+ 		put_msg("ASCII NUL ('\\0') character within the first line.");
+ 		exit(EXIT_FAILURE);
+ 	/* seek to the end of the first line
diff -Nru fig2dev-3.2.8b/debian/patches/43_ge-spline.patch fig2dev-3.2.8b/debian/patches/43_ge-spline.patch
--- fig2dev-3.2.8b/debian/patches/43_ge-spline.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/43_ge-spline.patch	2025-05-05 20:01:51.000000000 +0200
@@ -0,0 +1,26 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 8 Apr 2025 22:45:57 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b
+Bug: https://sourceforge.net/p/mcj/tickets/190/
+Forwarded: not-needed
+Subject: ge output: correct spline computation, ticket #190
+
+--- a/fig2dev/dev/genge.c
++++ b/fig2dev/dev/genge.c
+@@ -229,8 +229,6 @@ genge_itp_spline(F_spline *s)
+ 	int		 xmin, ymin;
+ 
+ 	a = s->controls;
+-
+-	a = s->controls;
+ 	p = s->points;
+ 	/* go through the points to find the last two */
+ 	for (q = p->next; q != NULL; p = q, q = q->next) {
+@@ -238,6 +236,7 @@ genge_itp_spline(F_spline *s)
+ 	    a = b;
+ 	}
+ 
++	a = s->controls;
+ 	p = s->points;
+ 	fprintf(tfp, "n %d %d m\n", p->x, p->y);
+ 	xmin = 999999;
diff -Nru fig2dev-3.2.8b/debian/patches/44_arcradius3.patch fig2dev-3.2.8b/debian/patches/44_arcradius3.patch
--- fig2dev-3.2.8b/debian/patches/44_arcradius3.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/44_arcradius3.patch	2025-05-05 20:01:51.000000000 +0200
@@ -0,0 +1,63 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat, 25 Jan 2025 21:06:59 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0
+Bug: https://sourceforge.net/p/mcj/tickets/187/
+Forwarded: not-needed
+Subject: Reject arcs with a radius smaller than 3, #187
+ An arc with too small radius caused a crash in pict2e output.  Instead
+ of dealing with such arcs in the pict2e driver, reject them already
+ when reading.
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,11 +92,14 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
++#define RADIUS2_MIN	9
+ #define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
+ 	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
++	e->radiuses.x + e->radiuses.y < RADIUS2_MIN ||			\
+ 	e->angle < -7. || e->angle > 7.
++	/* radiuses are set to positive in read.c */
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -131,7 +134,10 @@ typedef struct f_arc {
+ 	(a->direction != 0 && a->direction != 1) ||			\
+ 	COINCIDENT(a->point[0], a->point[1]) ||				\
+ 	COINCIDENT(a->point[0], a->point[2]) ||				\
+-	COINCIDENT(a->point[1], a->point[2])
++	COINCIDENT(a->point[1], a->point[2]) ||				\
++	(a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) +	\
++	(a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) <	\
++	RADIUS2_MIN
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -157,8 +157,10 @@ read_arcobject(FILE *fp)
+ 	a->pen_color = a->fill_color = BLACK_COLOR;
+ 	a->depth = 0;
+ 	a->pen = 0;
++	a->fill_style = 0;
+ 	a->for_arrow = NULL;
+ 	a->back_arrow = NULL;
++	a->cap_style = 0;
+ 	a->comments = NULL;
+ 	a->next = NULL;
+ 	n = fscanf(fp,
+@@ -329,6 +331,10 @@ read_ellipseobject(FILE *fp)
+ 		e->type = T_CIRCLE_BY_RAD;
+ 	else
+ 		e->type = T_CIRCLE_BY_DIA;
++	if (e->radiuses.x < 0)
++		e->radiuses.x *= -1;
++	if (e->radiuses.y < 0)
++		e->radiuses.y *= -1;
+ 	if (INVALID_ELLIPSE(e)) {
+ 		put_msg(Err_invalid, "ellipse");
+ 		free(e);
diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series
--- fig2dev-3.2.8b/debian/patches/series	2025-03-28 22:51:19.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/series	2025-05-05 20:01:51.000000000 +0200
@@ -10,3 +10,7 @@
 38_CVE-2025-31162.patch
 39_CVE-2025-31163.patch
 40_CVE-2025-31164.patch
+41_nan-spline.patch
+42_zero2ndline.patch
+43_ge-spline.patch
+44_arcradius3.patch

Reply to:

Follow-Ups:
- Bug#1104154: bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u2
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1104752: unblock: kvantum/1.1.4-3
Next by Date: release process and GR impact
Previous by thread: Processed: Re: Bug#1104752: unblock: kvantum/1.1.4-3
Next by thread: Bug#1104154: bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u2
Index(es):
- Date
- Thread