Fixed CVE-2020-21676

Resolves: #2000751

0013-CVE-2020-21676.patch

@@ -0,0 +1,83 @@
+From 180cf468f8999cfb7245bac5b3be447aefa6c852 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Fri, 3 Sep 2021 08:24:19 +0200
+Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76
+
+In fact, generously extend the allowed range to -7 to 7.
+Sane applications, e.g., xfig, certainly keep the angles within one revolution.
+---
+ CHANGES               | 5 +++--
+ fig2dev/object.h      | 7 ++++---
+ fig2dev/tests/read.at | 8 ++++++++
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index f1bbbc3..52daead 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -6,8 +6,9 @@ Patchlevel Xx (Xxx 20xx)
+ 
+ BUGS FIXED:
+ 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+-	o Fix ticket #81.
+-	o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
++	o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76.
++	o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81.
++	o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80.
+ 	o Use getline() to improve input scanning.
+ 	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+ 	o Correctly scan embedded pdfs for /MediaBox value.
+diff --git a/fig2dev/object.h b/fig2dev/object.h
+index fe56bbb..8464010 100644
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2019 by Thomas Loimer
++ * Parts Copyright (c) 2015-2020 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -94,7 +94,8 @@ typedef struct f_ellipse {
+ #define INVALID_ELLIPSE(e)	\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0
++	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -243,7 +244,7 @@ typedef struct f_text {
+ 	t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED ||	\
+ 	t->font < DEFAULT || t->font > MAX_PSFONT ||			\
+ 	t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT ||		\
+-	t->height < 0 || t->length < 0
++	t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7.
+ 
+ typedef struct f_control {
+ 	double			lx, ly, rx, ry;	/* used by older versions*/
+diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
+index 60982b0..c53fbb9 100644
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -422,6 +422,14 @@ AT_KEYWORDS([read.c svg])
+ AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([reject out of range text angle, ticket #76])
++AT_CHECK([fig2dev -L pstricks <<EOF
++FIG_FILE_TOP
++4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
++EOF
++], 1, ignore, ignore)
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.31.1
+

transfig.spec

@@ -19,6 +19,7 @@ Patch9:		0009-CVE-2020-21681.patch
 Patch10:	0010-CVE-2020-21683.patch
 Patch11:	0011-CVE-2020-21680.patch
 Patch12:  0012-CVE-2020-21678-CVE-2020-21684.patch
+Patch13:  0013-CVE-2020-21676.patch
 
 Requires:	ghostscript
 Requires:	bc
@@ -77,6 +78,7 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 - Fixed CVE-2020-21680 (#1998306)
 - Fixed CVE-2020-21684 (#2000747)
 - Fixed CVE-2020-21678 (#2000741)
+- Fixed CVE-2020-21676 (#2000751)
 
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.2.7b-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags