From 2eaab1479d0331d4a499d22c3f9a69d68b6e5145 Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Tue, 21 Sep 2021 10:39:14 +0200 Subject: [PATCH] Fixed CVE-2020-21532 Resolves: #2006007 --- 0015-CVE-2020-21532.patch | 134 ++++++++++++++++++++++++++++++++++++++ transfig.spec | 2 + 2 files changed, 136 insertions(+) create mode 100644 0015-CVE-2020-21532.patch diff --git a/0015-CVE-2020-21532.patch b/0015-CVE-2020-21532.patch new file mode 100644 index 0000000..d308b7a --- /dev/null +++ b/0015-CVE-2020-21532.patch @@ -0,0 +1,134 @@ +From ae23821f5959ee7c6d10cf0219fad013d3469a6f Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 21 Sep 2021 10:35:53 +0200 +Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81 + +The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX +fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0. + +Accept -1 TeX font in more places, fixes #71, #75 + +Continue the work started in commit [00cded]. Fix the fundamental issue of +tickets #71 and #75, which was hidden by commit [d70e4b]. +--- + fig2dev/dev/genpict2e.c | 9 +++++---- + fig2dev/dev/gentikz.c | 9 +++++---- + fig2dev/dev/texfonts.h | 14 +++++++++----- + fig2dev/tests/read.at | 14 +++++++++++++- + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/fig2dev/dev/genpict2e.c b/fig2dev/dev/genpict2e.c +index 9f828f0..22daedd 100644 +--- a/fig2dev/dev/genpict2e.c ++++ b/fig2dev/dev/genpict2e.c +@@ -2222,11 +2222,12 @@ put_font(F_text *t) + } + + if (psfont_text(t)) +- fprintf(tfp, "\\usefont%s", +- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]); ++ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ? ++ t->font + 1 : 0]); + else +- fprintf(tfp, "\\normalfont%s ", +- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); ++ /* Default psfont is -1, default texfont 0, also accept -1. */ ++ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ? ++ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]); + } + + void +diff --git a/fig2dev/dev/gentikz.c b/fig2dev/dev/gentikz.c +index 96ee41c..6d8aff4 100644 +--- a/fig2dev/dev/gentikz.c ++++ b/fig2dev/dev/gentikz.c +@@ -1771,11 +1771,12 @@ put_font(F_text *t) + } + + if (psfont_text(t)) +- fprintf(tfp, "\\usefont%s", +- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]); ++ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ? ++ t->font + 1 : 0]); + else +- fprintf(tfp, "\\normalfont%s ", +- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); ++ /* Default psfont is -1, default texfont 0, also accept -1. */ ++ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ? ++ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]); + } + + /* +diff --git a/fig2dev/dev/texfonts.h b/fig2dev/dev/texfonts.h +index 89097f2..e5254b6 100644 +--- a/fig2dev/dev/texfonts.h ++++ b/fig2dev/dev/texfonts.h +@@ -35,17 +35,21 @@ extern char texfontsizes[]; + #define MAXFONTSIZE 42 + + #ifdef NFSS +-#define TEXFAMILY(F) (texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) +-#define TEXSERIES(F) (texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) +-#define TEXSHAPE(F) (texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) ++#define TEXFAMILY(F) texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] ++#define TEXSERIES(F) texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] ++#define TEXSHAPE(F) texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] + #endif +-#define TEXFONT(F) (texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) ++#define TEXFONT(F) texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] + + /* + #define TEXFONTSIZE(S) (texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\ + : (MAXFONTSIZE-1)]) + */ +-#define TEXFONTSIZE(S) (((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S)) ++#define TEXFONTSIZE(S) ((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S)) + #define TEXFONTMAG(T) TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag)) + + void setfigfont(F_text *text); /* genepic.c */ +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index c53fbb9..d85356b 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -406,7 +406,7 @@ EOF + ]) + AT_CLEANUP + +-AT_SETUP([allow tex font -1, ticket #81]) ++AT_SETUP([allow tex font -1, tickets #71, #75, #81]) + AT_KEYWORDS([pict2e tikz]) + AT_DATA([text.fig], [FIG_FILE_TOP + 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 +@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig + ], 0, ignore) + AT_CHECK([fig2dev -L tikz text.fig + ], 0, ignore) ++AT_CHECK([fig2dev -L mp text.fig ++], 0, ignore) + AT_CLEANUP + + AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) +@@ -430,6 +432,16 @@ EOF + ], 1, ignore, ignore) + AT_CLEANUP + ++AT_SETUP([allow tex font -1, ticket #81]) ++AT_DATA([text.fig], [FIG_FILE_TOP ++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 ++]) ++AT_CHECK([fig2dev -L pict2e text.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L tikz text.fig ++], 0, ignore) ++AT_CLEANUP ++ + AT_BANNER([Dynamically allocate picture file name.]) + + AT_SETUP([prepend fig file path to picture file name]) +-- +2.31.1 + diff --git a/transfig.spec b/transfig.spec index 802e310..f99aee4 100644 --- a/transfig.spec +++ b/transfig.spec @@ -21,6 +21,7 @@ Patch11: 0011-CVE-2020-21680.patch Patch12: 0012-CVE-2020-21678-CVE-2020-21684.patch Patch13: 0013-CVE-2020-21676.patch Patch14: 0014-CVE-2020-21529.patch +Patch15: 0015-CVE-2020-21532.patch Requires: ghostscript Requires: bc @@ -75,6 +76,7 @@ mv fig2dev.1.in.new man/fig2dev.1.in %changelog * Mon Sep 20 2021 Ondrej Dubaj - 1:3.2.7b-8 - Fixed CVE-2020-21529 (#2005518) +- Fixed CVE-2020-21532 (#2006007) * Mon Aug 30 2021 Ondrej Dubaj - 1:3.2.7b-7 - Fixed CVE-2020-21681 (#1998350)