From 1f819fb044c698574e4eb94eeedf616001fb44f6 Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Fri, 3 Sep 2021 08:26:18 +0200 Subject: [PATCH] Fixed CVE-2020-21676 Resolves: #2000751 --- 0013-CVE-2020-21676.patch | 83 +++++++++++++++++++++++++++++++++++++++ transfig.spec | 2 + 2 files changed, 85 insertions(+) create mode 100644 0013-CVE-2020-21676.patch diff --git a/0013-CVE-2020-21676.patch b/0013-CVE-2020-21676.patch new file mode 100644 index 0000000..df5af3f --- /dev/null +++ b/0013-CVE-2020-21676.patch @@ -0,0 +1,83 @@ +From 180cf468f8999cfb7245bac5b3be447aefa6c852 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Fri, 3 Sep 2021 08:24:19 +0200 +Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76 + +In fact, generously extend the allowed range to -7 to 7. +Sane applications, e.g., xfig, certainly keep the angles within one revolution. +--- + CHANGES | 5 +++-- + fig2dev/object.h | 7 ++++--- + fig2dev/tests/read.at | 8 ++++++++ + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/CHANGES b/CHANGES +index f1bbbc3..52daead 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -6,8 +6,9 @@ Patchlevel Xx (Xxx 20xx) + + BUGS FIXED: + Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#. +- o Fix ticket #81. +- o Do not allow ASCII NUL anywhere in input. Fixes ticket #80. ++ o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76. ++ o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81. ++ o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80. + o Use getline() to improve input scanning. + Fixes tickets #58, #59, #61, #62, #67, #78, #79. + o Correctly scan embedded pdfs for /MediaBox value. +diff --git a/fig2dev/object.h b/fig2dev/object.h +index fe56bbb..8464010 100644 +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -3,7 +3,7 @@ + * Copyright (c) 1991 by Micah Beck + * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul + * Parts Copyright (c) 1989-2015 by Brian V. Smith +- * Parts Copyright (c) 2015-2019 by Thomas Loimer ++ * Parts Copyright (c) 2015-2020 by Thomas Loimer + * + * Any party obtaining a copy of these files is granted, free of charge, a + * full and unrestricted irrevocable, world-wide, paid up, royalty-free, +@@ -94,7 +94,8 @@ typedef struct f_ellipse { + #define INVALID_ELLIPSE(e) \ + e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ + COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ +- e->radiuses.x == 0 || e->radiuses.y == 0 ++ e->radiuses.x == 0 || e->radiuses.y == 0 || \ ++ e->angle < -7. || e->angle > 7. + + typedef struct f_arc { + int type; +@@ -243,7 +244,7 @@ typedef struct f_text { + t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED || \ + t->font < DEFAULT || t->font > MAX_PSFONT || \ + t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT || \ +- t->height < 0 || t->length < 0 ++ t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7. + + typedef struct f_control { + double lx, ly, rx, ry; /* used by older versions*/ +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index 60982b0..c53fbb9 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -422,6 +422,14 @@ AT_KEYWORDS([read.c svg]) + AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) + AT_CLEANUP + ++AT_SETUP([reject out of range text angle, ticket #76]) ++AT_CHECK([fig2dev -L pstricks < - 1:3.2.7b-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags