Fixed CVE-2020-21680

Resolves: #1998306
2021-08-30 10:58:19 +02:00 · 2021-08-30 10:58:19 +02:00 · 51d1f1a277
commit 51d1f1a277
parent 952fb15c98
2 changed files with 57 additions and 0 deletions
--- a/0011-CVE-2020-21680.patch
+++ b/0011-CVE-2020-21680.patch
@ -0,0 +1,55 @@
+Subject: [PATCH] Allow arrows with zero length on arcs
+
+Use the tangent, not a secant, for short arrows on arcs.
+---
+ fig2dev/bound.c         | 9 ++++-----
+ fig2dev/tests/output.at | 8 ++++++++
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fig2dev/bound.c b/fig2dev/bound.c
+index ce7f4d1..9e997b7 100644
+--- a/fig2dev/bound.c
+++ b/fig2dev/bound.c
+@@ -1095,16 +1095,15 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
+ 	r=sqrt(dx*dx+dy*dy);
+ 	h = (double) arrow->ht;
+ 	/* lines are made a little thinner in set_linewidth */
+-	thick = (arrow->thickness <= THICK_SCALE) ?
+-		    0.5* arrow->thickness :
+-		    arrow->thickness - THICK_SCALE;
+	thick = arrow->thickness <= THICK_SCALE ?
+		0.5 * arrow->thickness : arrow->thickness - THICK_SCALE;
+ 	/* lpt is the amount the arrowhead extends beyond the end of the line */
+ 	lpt = thick/2.0/(arrow->wid/h/2.0);
+ 	/* add this to the length */
+ 	h += lpt;
+ 
+-	/* radius too small for this method, use normal method */
+-	if (h > 2.0*r) {
+	/* secant would be too large or too small */
+	if (h > 2.0*r || h < 0.01*r) {
+ 	    arc_tangent_int(x1,y1,x2,y2,direction,x,y);
+ 	    return;
+ 	}
+diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at
+index 79788cc..9150dbe 100644
+--- a/fig2dev/tests/output.at
+++ b/fig2dev/tests/output.at
+@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \
+ ], 0, ignore)
+ AT_CLEANUP
+ 
+AT_SETUP([accept arc arrows with zero height, ticket #74])
+AT_KEYWORDS(pict2e)
+AT_CHECK([fig2dev -L pict2e <<EOF
+FIG_FILE_TOP
+5 1 0 1 0 7 50 -1 -1 0.0 0 0 1 0 0.0 0.0 600 0 0 600 -600 0
+	1 1 1.0 60.0 0.0
+EOF], 0, ignore)
+AT_CLEANUP
+ 
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+-- 
+2.31.1
+
--- a/transfig.spec
+++ b/transfig.spec
@ -17,6 +17,7 @@ Patch7:		0007-Use-getopt-from-standard-libraries-if-available.patch
 Patch8:		0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch
 Patch9:		0009-CVE-2020-21681.patch
 Patch10:	0010-CVE-2020-21683.patch
+Patch11:	0011-CVE-2020-21680.patch

 Requires:	ghostscript
 Requires:	bc
@ -72,6 +73,7 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 * Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7
 - Fixed CVE-2020-21681 (#1998350)
 - Fixed CVE-2020-21683 (#1998594)
+- Fixed CVE-2020-21680 (#1998306)

 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.2.7b-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags