Fixed CVE-2020-21684

Fixed CVE-2020-21678 Resolves: #2000741 Resolves: #2000747
2021-09-03 08:58:22 +02:00 · 2021-09-03 08:58:22 +02:00 · 21b82fd93d
commit 21b82fd93d
parent 51d1f1a277
2 changed files with 137 additions and 0 deletions
--- a/0012-CVE-2020-21678-CVE-2020-21684.patch
+++ b/0012-CVE-2020-21678-CVE-2020-21684.patch
@ -0,0 +1,134 @@
+From 8e7bcd6952535163a919e1f6891b44521ba86a8d Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Fri, 3 Sep 2021 08:15:34 +0200
+Subject: [PATCH] Reject ASCII NUL anywhere in the input
+
+The input is read in line by line, stored in a buffer and processed further
+with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(),
+and nowhere does the code expect NUL characters. Therefore, detect NUL while
+reading the input, and exit with an error message when NUL is found anywere.
+Fixes ticket #80.
+---
+ CHANGES                              |   4 ++++
+ fig2dev/read.c                       |  21 +++++++++++++++++++--
+ fig2dev/tests/data/text_w_ascii0.fig |  12 ++++++++++++
+ fig2dev/tests/read.at                |  16 ++++++++++++++++
+ 4 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 fig2dev/tests/data/text_w_ascii0.fig
+
+diff --git a/CHANGES b/CHANGES
+index 4a414fa..f1bbbc3 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx)
+ 
+ BUGS FIXED:
+ 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+	o Fix ticket #81.
+	o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
+	o Use getline() to improve input scanning.
+	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+ 	o Correctly scan embedded pdfs for /MediaBox value.
+ 	o Convert polygons having too few points to polylines. Ticket #56.
+ 	o Reject huge arrow types causing integer overflow. Ticket #57.
+diff --git a/fig2dev/read.c b/fig2dev/read.c
+index aea9537..6e47f2d 100644
+--- a/fig2dev/read.c
+++ b/fig2dev/read.c
+@@ -200,8 +200,14 @@ read_objects(FILE *fp, F_compound *obj)
+ 		put_msg("Could not read input file.");
+ 		return -1;
+ 	}
+-	/* seek to the end of the first line */
+-	if (strchr(buf, '\n') == NULL) {
+
+	/* check for embedded '\0' */
+	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
+		put_msg("ASCII NUL ('\\0') character within the first line.");
+		exit(EXIT_FAILURE);
+	/* seek to the end of the first line
+	   (the only place, where '\0's are tolerated) */
+	} else if (buf[strlen(buf) - 1] != '\n') {
+ 		int	c;
+ 		do
+ 			c = fgetc(fp);
+@@ -1399,6 +1405,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 	return s;
+ }
+ 
+static void
+exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no)
+{
+	if (strlen(line) < (size_t)chars) {
+		put_msg("ASCII NUL ('\\0') in line %d.", line_no);
+		exit(EXIT_FAILURE);
+	}
+}
+
+ static char *
+ find_end(const char *str, int v30flag)
+ {
+@@ -1470,6 +1485,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 
+ 		while ((chars = getline(line, line_len, fp)) != -1) {
+ 			++(*line_no);
+			exit_on_ascii_NUL(*line, chars, *line_no);
+ 			end = find_end(*line, v30_flag);
+ 			if (end) {
+ 				*end = '\0';
+@@ -1641,6 +1657,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 		if (**line == '\n' || (**line == '\r' &&
+ 					chars == 2 && (*line)[1] == '\n'))
+ 			continue;
+		exit_on_ascii_NUL(*line, chars, *line_no);
+ 		/* remove newline and possibly a carriage return */
+ 		if ((*line)[chars-1] == '\n') {
+ 			chars -= (*line)[chars - 2] == '\r' ? 2 : 1;
+diff --git a/fig2dev/tests/data/text_w_ascii0.fig b/fig2dev/tests/data/text_w_ascii0.fig
+new file mode 100644
+index 0000000..c0aa754
+--- /dev/null
+++ b/fig2dev/tests/data/text_w_ascii0.fig
+@@ -0,0 +1,12 @@
+#FIG 3.2
+Landscape
+Center
+Inches
+Letter
+100.00
+Single
+-2
+1200 2
+4 0 0 2 0 25 163 31 7 0  0 -1 1 0 2
+ 0& 4 120 5 y\  0 0 0^^^^^J^^^^^<U+0080>ÿÿ^^^^^^^^^^^^^^^^^^^^^^45 E\0I1y\001
+#4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 An ascii zero '\\0' here ->...and some more text following, with a certain amount of minimum characters\001
+diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
+index 9b34bfb..60982b0 100644
+--- a/fig2dev/tests/read.at
+++ b/fig2dev/tests/read.at
+@@ -406,6 +406,22 @@ EOF
+ ])
+ AT_CLEANUP
+ 
+AT_SETUP([allow tex font -1, ticket #81])
+AT_KEYWORDS([pict2e tikz])
+AT_DATA([text.fig], [FIG_FILE_TOP
+4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+])
+AT_CHECK([fig2dev -L pict2e text.fig
+], 0, ignore)
+AT_CHECK([fig2dev -L tikz text.fig
+], 0, ignore)
+AT_CLEANUP
+
+AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+AT_KEYWORDS([read.c svg])
+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+AT_CLEANUP
+
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.31.1
+
--- a/transfig.spec
+++ b/transfig.spec
@ -18,6 +18,7 @@ Patch8:		0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch
 Patch9:		0009-CVE-2020-21681.patch
 Patch10:	0010-CVE-2020-21683.patch
 Patch11:	0011-CVE-2020-21680.patch
+Patch12:  0012-CVE-2020-21678-CVE-2020-21684.patch

 Requires:	ghostscript
 Requires:	bc
@ -74,6 +75,8 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 - Fixed CVE-2020-21681 (#1998350)
 - Fixed CVE-2020-21683 (#1998594)
 - Fixed CVE-2020-21680 (#1998306)
+- Fixed CVE-2020-21684 (#2000747)
+- Fixed CVE-2020-21678 (#2000741)

 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.2.7b-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags