[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1101561: marked as done (bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u1)

Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <E1uGDzR-005KGe-Fj@coccia.debian.org>
and subject line Close 1101561
has caused the Debian Bug report #1101561,
regarding bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1101561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101561
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fig2dev@packages.debian.org
Control: affects -1 + src:fig2dev

[ Reason ]
This fixes CVE-2025-31162, CVE-2025-31163, CVE-2025-31164
(segmentation faults in the pict2e driver of fig2dev).

[ Impact ]
Segmentation faults with some special cases and a minor security
issue.

[ Tests ]
salsa-ci passed except reprotest (this seems to build the package with
sid instead of bookworm, with uses a newer different ghostscript
version, resulting in a slightly different gray rastering with two
more dots in an example, so one test in the testsuite fails):
https://salsa.debian.org/debian/fig2dev/-/pipelines/840929

The patches for CVE-2025-31163 and CVE-2025-31164 add new test cases
(for these bugs) which run successfully.

[ Risks ]
Hopefully none...

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- fix for CVE-2025-31162
- fix for CVE-2025-31163
- fix for CVE-2025-31164
- Change in debian/salsa-ci.yml to build with bookworm instead of sid

[ Other info ]
I was asked by Salvatore Bonaccorso <carnil@debian.org> from the
security team to upload this to the next point release instead of
fixing via DSA, because of the low severity of the CVEs.

Greetings
Roland

diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog
--- fig2dev-3.2.8b/debian/changelog	2022-09-20 17:24:07.000000000 +0200
+++ fig2dev-3.2.8b/debian/changelog	2025-03-28 22:51:19.000000000 +0100
@@ -1,3 +1,11 @@
+fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium
+
+  * 38_CVE-2025-31162: Reject huge pattern lengths.
+  * 39_CVE-2025-31163: Reject arcs with co-incident points.
+  * 40_CVE-2025-31164: Allow an arc-box with zero radius.
+
+ -- Roland Rosenfeld <roland@debian.org>  Fri, 28 Mar 2025 22:51:19 +0100
+
 fig2dev (1:3.2.8b-3) unstable; urgency=medium
 
   [ Roland Rosenfeld ]
diff -Nru fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch
--- fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch	2025-03-28 22:51:19.000000000 +0100
@@ -0,0 +1,27 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 22 Jan 2025 23:18:54 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/da8992f
+Bug: https://sourceforge.net/p/mcj/tickets/185/
+Forwarded: not-needed
+Subject: Reject huge pattern lengths, ticket #185
+ Reject patterned lines, e.g., dashed lines, where the pattern length exceeds
+ 80 inches.
+ This fixes CVE-2025-31162
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -57,12 +57,13 @@ typedef struct f_comment {
+ 	struct f_comment	*next;
+ } F_comment;
+ 
++#define	STYLE_VAL_MAX	6400.0	/* dash length 80 inches, that is enough */
+ #define COMMON_PROPERTIES(o)						\
+ 	o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE ||		\
+ 	o->thickness < 0 || o->depth < 0 || o->depth > 999 ||		\
+ 	o->fill_style < UNFILLED ||					\
+ 	o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
+-	o->style_val < 0.0
++	o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX
+ 
+ typedef struct f_ellipse {
+ 	int			type;
diff -Nru fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch
--- fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch	2025-03-28 22:51:19.000000000 +0100
@@ -0,0 +1,62 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 22 Jan 2025 23:27:43 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c8a87d2
+Bug: https://sourceforge.net/p/mcj/tickets/186/
+Forwarded: not-needed
+Subject: Reject arcs with co-incident points, ticket #186
+ This fixes CVE-2025-31163.
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,10 +92,10 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
+-#define INVALID_ELLIPSE(e)	\
++#define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+-	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
++	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
+ 	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+@@ -122,12 +122,16 @@ typedef struct f_arc {
+ 	struct f_arc		*next;
+ } F_arc;
+ 
+-#define INVALID_ARC(a)	\
++#define COINCIDENT(a, b)	(a.x == b.x && a.y == b.y)
++#define INVALID_ARC(a)							\
+ 	a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC ||		\
+ 	COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 ||	\
+ 	a->center.x < COORD_MIN || a->center.x > COORD_MAX ||		\
+ 	a->center.y < COORD_MIN || a->center.y > COORD_MAX ||		\
+-	(a->direction != 0 && a->direction != 1)
++	(a->direction != 0 && a->direction != 1) ||			\
++	COINCIDENT(a->point[0], a->point[1]) ||				\
++	COINCIDENT(a->point[0], a->point[2]) ||				\
++	COINCIDENT(a->point[1], a->point[2])
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -223,6 +223,16 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject arcs with coincident points, ticket #186])
++AT_KEYWORDS(read.c arc)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0
++EOF
++], 1, ignore, [Invalid arc object at line 10.
++])
++AT_CLEANUP
++
+ AT_SETUP([survive debian bugs #881143, #881144])
+ AT_KEYWORDS([font pic tikz])
+ AT_CHECK([fig2dev -L pic <<EOF
diff -Nru fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch
--- fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch	2025-03-28 22:51:19.000000000 +0100
@@ -0,0 +1,48 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 21 Jan 2025 20:50:15 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/ff9aba2
+Forwarded: not-needed
+Bug: https://sourceforge.net/p/mcj/tickets/184/
+Subject: Allow an arc-box with zero radius, ticket #184
+ In the pict2e output, a rectangle with rounded corners, dashed line type and
+ zero corner-radius would cause a crash. Convert rectangles with rounded
+ corners and zero corner-radius to regular rectangles.
+ This fixes CVE-2025-31164.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -960,6 +960,14 @@ sanitize_lineobject(
+ 	    return 0;
+ 	}
+ 
++	if (l->type == T_ARC_BOX && l->radius == 0) {
++		put_msg("A %s, but zero corner radius "
++			"at line %d - convert "
++			"to a rectangle.",
++			obj_name[l->type - 2],
++			line_no);
++			l->type = T_BOX;
++	}
+ 	if ((l->type == T_BOX || l->type == T_POLYGON ||
+ 			l->type == T_ARC_BOX || l->type == T_PIC_BOX) &&
+ 		l->points->next && l->points->next->next &&
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -109,6 +109,17 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert an arc-box with zero radius to a box])
++AT_KEYWORDS(read.c arc-box)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5
++	0 0 300 0 300 300 0 300 0 0
++EOF
++],0,ignore,[A rectangle with rounded corners, but zero corner radius at line 11 - convert to a rectangle.
++])
++AT_CLEANUP
++
+ AT_SETUP([fail on a malformed arc-box])
+ AT_KEYWORDS(read.c malformed arc-box)
+ AT_CHECK([fig2dev -L pict2e <<EOF
diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series
--- fig2dev-3.2.8b/debian/patches/series	2022-09-20 17:24:07.000000000 +0200
+++ fig2dev-3.2.8b/debian/patches/series	2025-03-28 22:51:19.000000000 +0100
@@ -7,3 +7,6 @@
 35_pict2e_output.patch
 36_arrowhead.patch
 37_arrow2point.patch
+38_CVE-2025-31162.patch
+39_CVE-2025-31163.patch
+40_CVE-2025-31164.patch
diff -Nru fig2dev-3.2.8b/debian/salsa-ci.yml fig2dev-3.2.8b/debian/salsa-ci.yml
--- fig2dev-3.2.8b/debian/salsa-ci.yml	2022-09-20 17:24:07.000000000 +0200
+++ fig2dev-3.2.8b/debian/salsa-ci.yml	2025-03-28 22:51:19.000000000 +0100
@@ -1,3 +1,6 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bookworm'

--- End Message ---
--- Begin Message --- 
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: