From 8b6a9bcc0c54030ebb931fdabe1e82f165781c92 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 7 Dec 2021 14:31:07 -0500 Subject: [PATCH] import transfig-3.2.7b-10.el9 --- .../0009-CVE-2020-21681-CVE-2020-21682.patch | 109 ++++++++++++++ SOURCES/0010-CVE-2020-21683.patch | 25 ++++ SOURCES/0011-CVE-2020-21680.patch | 55 +++++++ .../0012-CVE-2020-21678-CVE-2020-21684.patch | 134 ++++++++++++++++++ SOURCES/0013-CVE-2020-21676.patch | 83 +++++++++++ SOURCES/0014-CVE-2020-21529.patch | 32 +++++ SOURCES/0015-CVE-2020-21532.patch | 134 ++++++++++++++++++ SOURCES/0016-CVE-2020-21531.patch | 63 ++++++++ SOURCES/0017-CVE-2021-32280.patch | 29 ++++ SOURCES/0018-exit-no-args.patch | 39 +++++ SPECS/transfig.spec | 32 ++++- 11 files changed, 734 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0009-CVE-2020-21681-CVE-2020-21682.patch create mode 100644 SOURCES/0010-CVE-2020-21683.patch create mode 100644 SOURCES/0011-CVE-2020-21680.patch create mode 100644 SOURCES/0012-CVE-2020-21678-CVE-2020-21684.patch create mode 100644 SOURCES/0013-CVE-2020-21676.patch create mode 100644 SOURCES/0014-CVE-2020-21529.patch create mode 100644 SOURCES/0015-CVE-2020-21532.patch create mode 100644 SOURCES/0016-CVE-2020-21531.patch create mode 100644 SOURCES/0017-CVE-2021-32280.patch create mode 100644 SOURCES/0018-exit-no-args.patch diff --git a/SOURCES/0009-CVE-2020-21681-CVE-2020-21682.patch b/SOURCES/0009-CVE-2020-21681-CVE-2020-21682.patch new file mode 100644 index 0000000..9f2f2c3 --- /dev/null +++ b/SOURCES/0009-CVE-2020-21681-CVE-2020-21682.patch @@ -0,0 +1,109 @@ +Subject: [PATCH] Allow DEFAULT color in cgm and ge output and fix memory leak + in gencgm.c + +--- + fig2dev/dev/gencgm.c | 8 +++++++- + fig2dev/dev/genge.c | 7 ++++--- + fig2dev/tests/data/line.fig | 2 +- + fig2dev/tests/output.at | 10 ++++++++++ + 4 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/fig2dev/dev/gencgm.c b/fig2dev/dev/gencgm.c +index 6d9d9cb..0033c36 100644 +--- a/fig2dev/dev/gencgm.c ++++ b/fig2dev/dev/gencgm.c +@@ -148,9 +148,11 @@ gencgm_start(F_compound *objects) + { + int i; + char *p, *figname; ++ char *figname_buf = NULL; + + if (from) { +- figname = strdup(from); ++ figname_buf = strdup(from); ++ figname = figname_buf; + p = strrchr(figname, '/'); + if (p) + figname = p+1; /* remove path from name for comment in file */ +@@ -252,6 +254,8 @@ gencgm_start(F_compound *objects) + print_comments("% ",objects->comments, " %"); + fprintf(tfp,"%% %%\n"); + } ++ if (figname_buf) ++ free(figname_buf); + } + + int +@@ -549,6 +553,8 @@ hatchindex(index) + static void + getrgb(int color, int *r, int *g, int *b) + { ++ if (color < 0) /* DEFAULT color is black */ ++ color = 0; + if (color < NUM_STD_COLS) { + *r = stdcols[color].r * 255.; + *g = stdcols[color].g * 255.; +diff --git a/fig2dev/dev/genge.c b/fig2dev/dev/genge.c +index 8caabf1..c2ab712 100644 +--- a/fig2dev/dev/genge.c ++++ b/fig2dev/dev/genge.c +@@ -52,7 +52,8 @@ static void genge_ctl_spline(F_spline *s); + /* color mapping */ + /* xfig ge */ + +-static int GE_COLORS[] = { 1, /* black black */ ++static int GE_COLORS[] = { 1, /* DEFAULT == black */ ++ 1, /* black black */ + 8, /* blue blue */ + 7, /* green green */ + 6, /* cyan cyan */ +@@ -434,7 +435,7 @@ back_arrow(F_line *l) + static void + set_color(int col) + { +- fprintf(tfp,"c%02d ",GE_COLORS[col]); ++ fprintf(tfp,"c%02d ",GE_COLORS[col + 1]); + } + + /* set fill if there is a fill style */ +@@ -443,7 +444,7 @@ static void + set_fill(int style, int color) + { + if (style != UNFILLED) +- fprintf(tfp,"C%02d ",GE_COLORS[color]); ++ fprintf(tfp,"C%02d ",GE_COLORS[color + 1]); + } + + /* +diff --git a/fig2dev/tests/data/line.fig b/fig2dev/tests/data/line.fig +index e033b12..bfc4976 100644 +--- a/fig2dev/tests/data/line.fig ++++ b/fig2dev/tests/data/line.fig +@@ -7,5 +7,5 @@ A9 + Single + -2 + 1200 2 +-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3 ++2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3 + 50 50 500 50 500 200 +diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at +index 9a1bc45..79788cc 100644 +--- a/fig2dev/tests/output.at ++++ b/fig2dev/tests/output.at +@@ -261,3 +261,13 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \ + latex -halt-on-error big1.tex && latex -halt-on-error big2.tex + ], 0, ignore) + AT_CLEANUP ++ ++AT_BANNER([Test other output languages.]) ++ ++AT_SETUP([allow default color in ge, cgm output, #72, #73]) ++AT_KEYWORDS(cgm ge) ++AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L ge $srcdir/data/line.fig ++], 0, ignore) ++AT_CLEANUP +-- +2.31.1 + diff --git a/SOURCES/0010-CVE-2020-21683.patch b/SOURCES/0010-CVE-2020-21683.patch new file mode 100644 index 0000000..dfe1434 --- /dev/null +++ b/SOURCES/0010-CVE-2020-21683.patch @@ -0,0 +1,25 @@ +Subject: [PATCH] Fix pstricks fill with non-solid default color + +In the pstricks output, filling an area with the shaded or tinted default color +is now equivalent to filling with shaded or tinted black color. +--- + fig2dev/dev/genpstricks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fig2dev/dev/genpstricks.c b/fig2dev/dev/genpstricks.c +index cf49207..40ea577 100644 +--- a/fig2dev/dev/genpstricks.c ++++ b/fig2dev/dev/genpstricks.c +@@ -1856,7 +1856,8 @@ format_options(char *options, char *prefix, char *postfix, char *sqrb_init, + else if (fill_style <= 40) + /* shade or tint fill */ + sprintf(tmps, "fillstyle=solid,fillcolor=%s", +- shade_or_tint_name_after_declare_color(tmpc, fill_style, fill_color)); ++ shade_or_tint_name_after_declare_color(tmpc, fill_style, ++ fill_color == DEFAULT ? CT_BLACK : fill_color)); + else { + char *type = 0, *ps; + int angle = 0; +-- +2.31.1 + diff --git a/SOURCES/0011-CVE-2020-21680.patch b/SOURCES/0011-CVE-2020-21680.patch new file mode 100644 index 0000000..c34bdc7 --- /dev/null +++ b/SOURCES/0011-CVE-2020-21680.patch @@ -0,0 +1,55 @@ +Subject: [PATCH] Allow arrows with zero length on arcs + +Use the tangent, not a secant, for short arrows on arcs. +--- + fig2dev/bound.c | 9 ++++----- + fig2dev/tests/output.at | 8 ++++++++ + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/fig2dev/bound.c b/fig2dev/bound.c +index ce7f4d1..9e997b7 100644 +--- a/fig2dev/bound.c ++++ b/fig2dev/bound.c +@@ -1095,16 +1095,15 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2, + r=sqrt(dx*dx+dy*dy); + h = (double) arrow->ht; + /* lines are made a little thinner in set_linewidth */ +- thick = (arrow->thickness <= THICK_SCALE) ? +- 0.5* arrow->thickness : +- arrow->thickness - THICK_SCALE; ++ thick = arrow->thickness <= THICK_SCALE ? ++ 0.5 * arrow->thickness : arrow->thickness - THICK_SCALE; + /* lpt is the amount the arrowhead extends beyond the end of the line */ + lpt = thick/2.0/(arrow->wid/h/2.0); + /* add this to the length */ + h += lpt; + +- /* radius too small for this method, use normal method */ +- if (h > 2.0*r) { ++ /* secant would be too large or too small */ ++ if (h > 2.0*r || h < 0.01*r) { + arc_tangent_int(x1,y1,x2,y2,direction,x,y); + return; + } +diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at +index 79788cc..9150dbe 100644 +--- a/fig2dev/tests/output.at ++++ b/fig2dev/tests/output.at +@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \ + ], 0, ignore) + AT_CLEANUP + ++AT_SETUP([accept arc arrows with zero height, ticket #74]) ++AT_KEYWORDS(pict2e) ++AT_CHECK([fig2dev -L pict2e < +Date: Fri, 3 Sep 2021 08:15:34 +0200 +Subject: [PATCH] Reject ASCII NUL anywhere in the input + +The input is read in line by line, stored in a buffer and processed further +with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(), +and nowhere does the code expect NUL characters. Therefore, detect NUL while +reading the input, and exit with an error message when NUL is found anywere. +Fixes ticket #80. +--- + CHANGES | 4 ++++ + fig2dev/read.c | 21 +++++++++++++++++++-- + fig2dev/tests/data/text_w_ascii0.fig | 12 ++++++++++++ + fig2dev/tests/read.at | 16 ++++++++++++++++ + 4 files changed, 51 insertions(+), 2 deletions(-) + create mode 100644 fig2dev/tests/data/text_w_ascii0.fig + +diff --git a/CHANGES b/CHANGES +index 4a414fa..f1bbbc3 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx) + + BUGS FIXED: + Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#. ++ o Fix ticket #81. ++ o Do not allow ASCII NUL anywhere in input. Fixes ticket #80. ++ o Use getline() to improve input scanning. ++ Fixes tickets #58, #59, #61, #62, #67, #78, #79. + o Correctly scan embedded pdfs for /MediaBox value. + o Convert polygons having too few points to polylines. Ticket #56. + o Reject huge arrow types causing integer overflow. Ticket #57. +diff --git a/fig2dev/read.c b/fig2dev/read.c +index aea9537..6e47f2d 100644 +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -200,8 +200,14 @@ read_objects(FILE *fp, F_compound *obj) + put_msg("Could not read input file."); + return -1; + } +- /* seek to the end of the first line */ +- if (strchr(buf, '\n') == NULL) { ++ ++ /* check for embedded '\0' */ ++ if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') { ++ put_msg("ASCII NUL ('\\0') character within the first line."); ++ exit(EXIT_FAILURE); ++ /* seek to the end of the first line ++ (the only place, where '\0's are tolerated) */ ++ } else if (buf[strlen(buf) - 1] != '\n') { + int c; + do + c = fgetc(fp); +@@ -1399,6 +1405,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + return s; + } + ++static void ++exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no) ++{ ++ if (strlen(line) < (size_t)chars) { ++ put_msg("ASCII NUL ('\\0') in line %d.", line_no); ++ exit(EXIT_FAILURE); ++ } ++} ++ + static char * + find_end(const char *str, int v30flag) + { +@@ -1470,6 +1485,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no) + + while ((chars = getline(line, line_len, fp)) != -1) { + ++(*line_no); ++ exit_on_ascii_NUL(*line, chars, *line_no); + end = find_end(*line, v30_flag); + if (end) { + *end = '\0'; +@@ -1641,6 +1657,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no) + if (**line == '\n' || (**line == '\r' && + chars == 2 && (*line)[1] == '\n')) + continue; ++ exit_on_ascii_NUL(*line, chars, *line_no); + /* remove newline and possibly a carriage return */ + if ((*line)[chars-1] == '\n') { + chars -= (*line)[chars - 2] == '\r' ? 2 : 1; +diff --git a/fig2dev/tests/data/text_w_ascii0.fig b/fig2dev/tests/data/text_w_ascii0.fig +new file mode 100644 +index 0000000..c0aa754 +--- /dev/null ++++ b/fig2dev/tests/data/text_w_ascii0.fig +@@ -0,0 +1,12 @@ ++#FIG 3.2 ++Landscape ++Center ++Inches ++Letter ++100.00 ++Single ++-2 ++1200 2 ++4 0 0 2 0 25 163 31 7 0 0 -1 1 0 2 ++ 0& 4 120 5 y\ 0 0 0^^^^^J^^^^^ÿÿ^^^^^^^^^^^^^^^^^^^^^^45 E\0I1y\001 ++#4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 An ascii zero '\\0' here ->...and some more text following, with a certain amount of minimum characters\001 +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index 9b34bfb..60982b0 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -406,6 +406,22 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([allow tex font -1, ticket #81]) ++AT_KEYWORDS([pict2e tikz]) ++AT_DATA([text.fig], [FIG_FILE_TOP ++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 ++]) ++AT_CHECK([fig2dev -L pict2e text.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L tikz text.fig ++], 0, ignore) ++AT_CLEANUP ++ ++AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) ++AT_KEYWORDS([read.c svg]) ++AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) ++AT_CLEANUP ++ + AT_BANNER([Dynamically allocate picture file name.]) + + AT_SETUP([prepend fig file path to picture file name]) +-- +2.31.1 + diff --git a/SOURCES/0013-CVE-2020-21676.patch b/SOURCES/0013-CVE-2020-21676.patch new file mode 100644 index 0000000..df5af3f --- /dev/null +++ b/SOURCES/0013-CVE-2020-21676.patch @@ -0,0 +1,83 @@ +From 180cf468f8999cfb7245bac5b3be447aefa6c852 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Fri, 3 Sep 2021 08:24:19 +0200 +Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76 + +In fact, generously extend the allowed range to -7 to 7. +Sane applications, e.g., xfig, certainly keep the angles within one revolution. +--- + CHANGES | 5 +++-- + fig2dev/object.h | 7 ++++--- + fig2dev/tests/read.at | 8 ++++++++ + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/CHANGES b/CHANGES +index f1bbbc3..52daead 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -6,8 +6,9 @@ Patchlevel Xx (Xxx 20xx) + + BUGS FIXED: + Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#. +- o Fix ticket #81. +- o Do not allow ASCII NUL anywhere in input. Fixes ticket #80. ++ o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76. ++ o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81. ++ o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80. + o Use getline() to improve input scanning. + Fixes tickets #58, #59, #61, #62, #67, #78, #79. + o Correctly scan embedded pdfs for /MediaBox value. +diff --git a/fig2dev/object.h b/fig2dev/object.h +index fe56bbb..8464010 100644 +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -3,7 +3,7 @@ + * Copyright (c) 1991 by Micah Beck + * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul + * Parts Copyright (c) 1989-2015 by Brian V. Smith +- * Parts Copyright (c) 2015-2019 by Thomas Loimer ++ * Parts Copyright (c) 2015-2020 by Thomas Loimer + * + * Any party obtaining a copy of these files is granted, free of charge, a + * full and unrestricted irrevocable, world-wide, paid up, royalty-free, +@@ -94,7 +94,8 @@ typedef struct f_ellipse { + #define INVALID_ELLIPSE(e) \ + e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ + COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ +- e->radiuses.x == 0 || e->radiuses.y == 0 ++ e->radiuses.x == 0 || e->radiuses.y == 0 || \ ++ e->angle < -7. || e->angle > 7. + + typedef struct f_arc { + int type; +@@ -243,7 +244,7 @@ typedef struct f_text { + t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED || \ + t->font < DEFAULT || t->font > MAX_PSFONT || \ + t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT || \ +- t->height < 0 || t->length < 0 ++ t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7. + + typedef struct f_control { + double lx, ly, rx, ry; /* used by older versions*/ +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index 60982b0..c53fbb9 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -422,6 +422,14 @@ AT_KEYWORDS([read.c svg]) + AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) + AT_CLEANUP + ++AT_SETUP([reject out of range text angle, ticket #76]) ++AT_CHECK([fig2dev -L pstricks < +Date: Mon, 20 Sep 2021 08:31:22 +0200 +Subject: [PATCH] Keep coordinates of spline controls within sane range + +--- + fig2dev/read.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fig2dev/read.c b/fig2dev/read.c +index 6e47f2d..349a685 100644 +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -1392,6 +1392,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + cp->next = NULL; + free_splinestorage(s); + return NULL; ++ } ++ if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX || ++ rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) { ++ /* do not care to clean up, we exit anyway ++ cp->next = NULL; ++ free_splinestorage(s); */ ++ put_msg("Spline control points out of range at line %d.", ++ *line_no); ++ exit(EXIT_FAILURE); + } + cq->lx = lx; cq->ly = ly; + cq->rx = rx; cq->ry = ry; +-- +2.31.1 + diff --git a/SOURCES/0015-CVE-2020-21532.patch b/SOURCES/0015-CVE-2020-21532.patch new file mode 100644 index 0000000..d308b7a --- /dev/null +++ b/SOURCES/0015-CVE-2020-21532.patch @@ -0,0 +1,134 @@ +From ae23821f5959ee7c6d10cf0219fad013d3469a6f Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 21 Sep 2021 10:35:53 +0200 +Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81 + +The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX +fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0. + +Accept -1 TeX font in more places, fixes #71, #75 + +Continue the work started in commit [00cded]. Fix the fundamental issue of +tickets #71 and #75, which was hidden by commit [d70e4b]. +--- + fig2dev/dev/genpict2e.c | 9 +++++---- + fig2dev/dev/gentikz.c | 9 +++++---- + fig2dev/dev/texfonts.h | 14 +++++++++----- + fig2dev/tests/read.at | 14 +++++++++++++- + 4 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/fig2dev/dev/genpict2e.c b/fig2dev/dev/genpict2e.c +index 9f828f0..22daedd 100644 +--- a/fig2dev/dev/genpict2e.c ++++ b/fig2dev/dev/genpict2e.c +@@ -2222,11 +2222,12 @@ put_font(F_text *t) + } + + if (psfont_text(t)) +- fprintf(tfp, "\\usefont%s", +- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]); ++ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ? ++ t->font + 1 : 0]); + else +- fprintf(tfp, "\\normalfont%s ", +- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); ++ /* Default psfont is -1, default texfont 0, also accept -1. */ ++ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ? ++ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]); + } + + void +diff --git a/fig2dev/dev/gentikz.c b/fig2dev/dev/gentikz.c +index 96ee41c..6d8aff4 100644 +--- a/fig2dev/dev/gentikz.c ++++ b/fig2dev/dev/gentikz.c +@@ -1771,11 +1771,12 @@ put_font(F_text *t) + } + + if (psfont_text(t)) +- fprintf(tfp, "\\usefont%s", +- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]); ++ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ? ++ t->font + 1 : 0]); + else +- fprintf(tfp, "\\normalfont%s ", +- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); ++ /* Default psfont is -1, default texfont 0, also accept -1. */ ++ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ? ++ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]); + } + + /* +diff --git a/fig2dev/dev/texfonts.h b/fig2dev/dev/texfonts.h +index 89097f2..e5254b6 100644 +--- a/fig2dev/dev/texfonts.h ++++ b/fig2dev/dev/texfonts.h +@@ -35,17 +35,21 @@ extern char texfontsizes[]; + #define MAXFONTSIZE 42 + + #ifdef NFSS +-#define TEXFAMILY(F) (texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) +-#define TEXSERIES(F) (texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) +-#define TEXSHAPE(F) (texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) ++#define TEXFAMILY(F) texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] ++#define TEXSERIES(F) texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] ++#define TEXSHAPE(F) texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] + #endif +-#define TEXFONT(F) (texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)]) ++#define TEXFONT(F) texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \ ++ : MAX_FONT-1] + + /* + #define TEXFONTSIZE(S) (texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\ + : (MAXFONTSIZE-1)]) + */ +-#define TEXFONTSIZE(S) (((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S)) ++#define TEXFONTSIZE(S) ((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S)) + #define TEXFONTMAG(T) TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag)) + + void setfigfont(F_text *text); /* genepic.c */ +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index c53fbb9..d85356b 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -406,7 +406,7 @@ EOF + ]) + AT_CLEANUP + +-AT_SETUP([allow tex font -1, ticket #81]) ++AT_SETUP([allow tex font -1, tickets #71, #75, #81]) + AT_KEYWORDS([pict2e tikz]) + AT_DATA([text.fig], [FIG_FILE_TOP + 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 +@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig + ], 0, ignore) + AT_CHECK([fig2dev -L tikz text.fig + ], 0, ignore) ++AT_CHECK([fig2dev -L mp text.fig ++], 0, ignore) + AT_CLEANUP + + AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) +@@ -430,6 +432,16 @@ EOF + ], 1, ignore, ignore) + AT_CLEANUP + ++AT_SETUP([allow tex font -1, ticket #81]) ++AT_DATA([text.fig], [FIG_FILE_TOP ++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001 ++]) ++AT_CHECK([fig2dev -L pict2e text.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L tikz text.fig ++], 0, ignore) ++AT_CLEANUP ++ + AT_BANNER([Dynamically allocate picture file name.]) + + AT_SETUP([prepend fig file path to picture file name]) +-- +2.31.1 + diff --git a/SOURCES/0016-CVE-2020-21531.patch b/SOURCES/0016-CVE-2020-21531.patch new file mode 100644 index 0000000..8a8be42 --- /dev/null +++ b/SOURCES/0016-CVE-2020-21531.patch @@ -0,0 +1,63 @@ +From d50ae523fcee5c2d4357bbd8ce5baeeb18d15a2c Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 21 Sep 2021 10:42:50 +0200 +Subject: [PATCH] Reject out-of-range pattern + +--- + fig2dev/object.h | 2 +- + fig2dev/tests/read.at | 19 +++++++++++++++++-- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/fig2dev/object.h b/fig2dev/object.h +index 8464010..6830b13 100644 +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -61,7 +61,7 @@ typedef struct f_comment { + o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \ + o->thickness < 0 || o->depth < 0 || o->depth > 999 || \ + o->fill_style < UNFILLED || \ +- o->fill_style > NUMSHADES + NUMTINTS + NUMPATTERNS || \ ++ o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \ + o->style_val < 0.0 + + typedef struct f_ellipse { +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index d85356b..7765805 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -421,15 +421,30 @@ AT_CLEANUP + + AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80]) + AT_KEYWORDS([read.c svg]) +-AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore) ++AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], ++1, ignore, [ASCII NUL ('\0') in line 11. ++]) + AT_CLEANUP + + AT_SETUP([reject out of range text angle, ticket #76]) ++AT_KEYWORDS([read.c pstricks]) + AT_CHECK([fig2dev -L pstricks < +Date: Thu, 23 Sep 2021 09:49:37 +0200 +Subject: [PATCH] Do not crash on incomplete, closed splines + +--- + fig2dev/trans_spline.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fig2dev/trans_spline.c b/fig2dev/trans_spline.c +index 0905c79..60c54ad 100644 +--- a/fig2dev/trans_spline.c ++++ b/fig2dev/trans_spline.c +@@ -226,6 +226,12 @@ compute_closed_spline(F_spline *spline, float precision) + if (!init_point_array(300, 200)) + return NULL; + ++ if (!(spline->points /* p0 */ && spline->controls /* s0 */ && ++ spline->points->next /* p1 */ && spline->controls->next /* s1 */ && ++ spline->points->next->next && spline->controls->next->next/* p2, s2 */&& ++ spline->points->next->next->next && spline->controls->next->next->next)) ++ return NULL; ++ + INIT_CONTROL_POINTS(spline, p0, s0, p1, s1, p2, s2, p3, s3); + COPY_CONTROL_POINT(first, s_first, p0, s0); + +-- +2.31.1 + diff --git a/SOURCES/0018-exit-no-args.patch b/SOURCES/0018-exit-no-args.patch new file mode 100644 index 0000000..03b2652 --- /dev/null +++ b/SOURCES/0018-exit-no-args.patch @@ -0,0 +1,39 @@ +Subject: [PATCH] Exit correctly when invoked without arguments +https://sourceforge.net/p/mcj/fig2dev/ci/11fba42e388ff7d92f81518406429bdea0a6a3b3 + +--- + fig2dev/fig2dev.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fig2dev/fig2dev.c b/fig2dev/fig2dev.c +index 62ec099..949671e 100644 +--- a/fig2dev/fig2dev.c ++++ b/fig2dev/fig2dev.c +@@ -161,9 +161,9 @@ static struct depth_opts { + + static char Usage[] = + #ifdef I18N +-"Usage:\n %s -hV\n %s -L language [-s size] [-m scale] [-j] [input [output]]\n"; ++"Usage:\n %1$s -hV\n %1$s -L language [-s size] [-m scale] [-j] [input [output]]\n"; + #else +- "Usage:\n %s -hV\n %s -L language [-s size] [-m scale] [input [output]]\n"; ++ "Usage:\n %1$s -hV\n %1$s -L language [-s size] [-m scale] [input [output]]\n"; + #endif + + static int parse_gridspec(char *string, float *numer, float *denom, +@@ -218,8 +218,10 @@ get_args(int argc, char *argv[]) + char *grid, *p; + float numer, denom; + +- if (argc == 1) +- fprintf(stderr, Usage, prog, prog); ++ if (argc == 1) { ++ fprintf(stderr, Usage, prog); ++ exit(EXIT_SUCCESS); ++ } + + /* print the version, for the comfort of the autotest tests */ + if (!strcmp(argv[1], "--version")) { +-- +2.31.1 + diff --git a/SPECS/transfig.spec b/SPECS/transfig.spec index 87b646a..a4f7e73 100644 --- a/SPECS/transfig.spec +++ b/SPECS/transfig.spec @@ -1,6 +1,6 @@ Name: transfig Version: 3.2.7b -Release: 6%{?dist} +Release: 10%{?dist} Epoch: 1 Summary: Utility for converting FIG files (made by xfig) to other formats License: MIT @@ -15,6 +15,16 @@ Patch5: 0005-Correctly-scan-embedded-pdfs-for-MediaBox-value.patch Patch6: 0006-fig2dev-version-prints-version-information.patch Patch7: 0007-Use-getopt-from-standard-libraries-if-available.patch Patch8: 0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch +Patch9: 0009-CVE-2020-21681-CVE-2020-21682.patch +Patch10: 0010-CVE-2020-21683.patch +Patch11: 0011-CVE-2020-21680.patch +Patch12: 0012-CVE-2020-21678-CVE-2020-21684.patch +Patch13: 0013-CVE-2020-21676.patch +Patch14: 0014-CVE-2020-21529.patch +Patch15: 0015-CVE-2020-21532.patch +Patch16: 0016-CVE-2020-21531.patch +Patch17: 0017-CVE-2021-32280.patch +Patch18: 0018-exit-no-args.patch Requires: ghostscript Requires: bc @@ -67,6 +77,26 @@ mv fig2dev.1.in.new man/fig2dev.1.in %changelog +* Mon Oct 18 2021 Ondrej Dubaj - 1:3.2.7b-10 +- Exit correctly when invoked without arguments (#2015001) + +* Thu Sep 23 2021 Ondrej Dubaj - 1:3.2.7b-9 +- Fixed CVE-2021-32280 (#2006830) + +* Mon Sep 20 2021 Ondrej Dubaj - 1:3.2.7b-8 +- Fixed CVE-2020-21529 (#2005518) +- Fixed CVE-2020-21532 (#2006007) +- Fixed CVE-2020-21531 (#2006002) + +* Mon Aug 30 2021 Ondrej Dubaj - 1:3.2.7b-7 +- Fixed CVE-2020-21681 (#1998350) +- Fixed CVE-2020-21683 (#1998594) +- Fixed CVE-2020-21680 (#1998306) +- Fixed CVE-2020-21684 (#2000747) +- Fixed CVE-2020-21678 (#2000741) +- Fixed CVE-2020-21676 (#2000751) +- Fixed CVE-2020-21682 (#2000738) + * Tue Aug 10 2021 Mohan Boddu - 1:3.2.7b-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688