From a12d747fb9201d9d07c1128872878758aa35c0f8 Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Mon, 30 Aug 2021 10:56:44 +0200 Subject: [PATCH] Fixed CVE-2020-21681 Resolves: #1998350 --- 0009-CVE-2020-21681.patch | 109 ++++++++++++++++++++++++++++++++++++++ transfig.spec | 6 ++- 2 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 0009-CVE-2020-21681.patch diff --git a/0009-CVE-2020-21681.patch b/0009-CVE-2020-21681.patch new file mode 100644 index 0000000..9f2f2c3 --- /dev/null +++ b/0009-CVE-2020-21681.patch @@ -0,0 +1,109 @@ +Subject: [PATCH] Allow DEFAULT color in cgm and ge output and fix memory leak + in gencgm.c + +--- + fig2dev/dev/gencgm.c | 8 +++++++- + fig2dev/dev/genge.c | 7 ++++--- + fig2dev/tests/data/line.fig | 2 +- + fig2dev/tests/output.at | 10 ++++++++++ + 4 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/fig2dev/dev/gencgm.c b/fig2dev/dev/gencgm.c +index 6d9d9cb..0033c36 100644 +--- a/fig2dev/dev/gencgm.c ++++ b/fig2dev/dev/gencgm.c +@@ -148,9 +148,11 @@ gencgm_start(F_compound *objects) + { + int i; + char *p, *figname; ++ char *figname_buf = NULL; + + if (from) { +- figname = strdup(from); ++ figname_buf = strdup(from); ++ figname = figname_buf; + p = strrchr(figname, '/'); + if (p) + figname = p+1; /* remove path from name for comment in file */ +@@ -252,6 +254,8 @@ gencgm_start(F_compound *objects) + print_comments("% ",objects->comments, " %"); + fprintf(tfp,"%% %%\n"); + } ++ if (figname_buf) ++ free(figname_buf); + } + + int +@@ -549,6 +553,8 @@ hatchindex(index) + static void + getrgb(int color, int *r, int *g, int *b) + { ++ if (color < 0) /* DEFAULT color is black */ ++ color = 0; + if (color < NUM_STD_COLS) { + *r = stdcols[color].r * 255.; + *g = stdcols[color].g * 255.; +diff --git a/fig2dev/dev/genge.c b/fig2dev/dev/genge.c +index 8caabf1..c2ab712 100644 +--- a/fig2dev/dev/genge.c ++++ b/fig2dev/dev/genge.c +@@ -52,7 +52,8 @@ static void genge_ctl_spline(F_spline *s); + /* color mapping */ + /* xfig ge */ + +-static int GE_COLORS[] = { 1, /* black black */ ++static int GE_COLORS[] = { 1, /* DEFAULT == black */ ++ 1, /* black black */ + 8, /* blue blue */ + 7, /* green green */ + 6, /* cyan cyan */ +@@ -434,7 +435,7 @@ back_arrow(F_line *l) + static void + set_color(int col) + { +- fprintf(tfp,"c%02d ",GE_COLORS[col]); ++ fprintf(tfp,"c%02d ",GE_COLORS[col + 1]); + } + + /* set fill if there is a fill style */ +@@ -443,7 +444,7 @@ static void + set_fill(int style, int color) + { + if (style != UNFILLED) +- fprintf(tfp,"C%02d ",GE_COLORS[color]); ++ fprintf(tfp,"C%02d ",GE_COLORS[color + 1]); + } + + /* +diff --git a/fig2dev/tests/data/line.fig b/fig2dev/tests/data/line.fig +index e033b12..bfc4976 100644 +--- a/fig2dev/tests/data/line.fig ++++ b/fig2dev/tests/data/line.fig +@@ -7,5 +7,5 @@ A9 + Single + -2 + 1200 2 +-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3 ++2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3 + 50 50 500 50 500 200 +diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at +index 9a1bc45..79788cc 100644 +--- a/fig2dev/tests/output.at ++++ b/fig2dev/tests/output.at +@@ -261,3 +261,13 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \ + latex -halt-on-error big1.tex && latex -halt-on-error big2.tex + ], 0, ignore) + AT_CLEANUP ++ ++AT_BANNER([Test other output languages.]) ++ ++AT_SETUP([allow default color in ge, cgm output, #72, #73]) ++AT_KEYWORDS(cgm ge) ++AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig ++], 0, ignore) ++AT_CHECK([fig2dev -L ge $srcdir/data/line.fig ++], 0, ignore) ++AT_CLEANUP +-- +2.31.1 + diff --git a/transfig.spec b/transfig.spec index 87b646a..933c801 100644 --- a/transfig.spec +++ b/transfig.spec @@ -1,6 +1,6 @@ Name: transfig Version: 3.2.7b -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 Summary: Utility for converting FIG files (made by xfig) to other formats License: MIT @@ -15,6 +15,7 @@ Patch5: 0005-Correctly-scan-embedded-pdfs-for-MediaBox-value.patch Patch6: 0006-fig2dev-version-prints-version-information.patch Patch7: 0007-Use-getopt-from-standard-libraries-if-available.patch Patch8: 0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch +Patch9: 0009-CVE-2020-21681.patch Requires: ghostscript Requires: bc @@ -67,6 +68,9 @@ mv fig2dev.1.in.new man/fig2dev.1.in %changelog +* Mon Aug 30 2021 Ondrej Dubaj - 1:3.2.7b-7 +- Fixed CVE-2020-21681 (#1998350) + * Tue Aug 10 2021 Mohan Boddu - 1:3.2.7b-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688