diff --git a/0014-CVE-2020-21529.patch b/0014-CVE-2020-21529.patch new file mode 100644 index 0000000..c4ef9a5 --- /dev/null +++ b/0014-CVE-2020-21529.patch @@ -0,0 +1,32 @@ +From 2397ae3bb903f59a017c8ec9db87164048b86827 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Mon, 20 Sep 2021 08:31:22 +0200 +Subject: [PATCH] Keep coordinates of spline controls within sane range + +--- + fig2dev/read.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fig2dev/read.c b/fig2dev/read.c +index 6e47f2d..349a685 100644 +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -1392,6 +1392,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + cp->next = NULL; + free_splinestorage(s); + return NULL; ++ } ++ if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX || ++ rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) { ++ /* do not care to clean up, we exit anyway ++ cp->next = NULL; ++ free_splinestorage(s); */ ++ put_msg("Spline control points out of range at line %d.", ++ *line_no); ++ exit(EXIT_FAILURE); + } + cq->lx = lx; cq->ly = ly; + cq->rx = rx; cq->ry = ry; +-- +2.31.1 + diff --git a/transfig.spec b/transfig.spec index 011c29d..802e310 100644 --- a/transfig.spec +++ b/transfig.spec @@ -1,6 +1,6 @@ Name: transfig Version: 3.2.7b -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 1 Summary: Utility for converting FIG files (made by xfig) to other formats License: MIT @@ -20,6 +20,7 @@ Patch10: 0010-CVE-2020-21683.patch Patch11: 0011-CVE-2020-21680.patch Patch12: 0012-CVE-2020-21678-CVE-2020-21684.patch Patch13: 0013-CVE-2020-21676.patch +Patch14: 0014-CVE-2020-21529.patch Requires: ghostscript Requires: bc @@ -72,6 +73,9 @@ mv fig2dev.1.in.new man/fig2dev.1.in %changelog +* Mon Sep 20 2021 Ondrej Dubaj - 1:3.2.7b-8 +- Fixed CVE-2020-21529 (#2005518) + * Mon Aug 30 2021 Ondrej Dubaj - 1:3.2.7b-7 - Fixed CVE-2020-21681 (#1998350) - Fixed CVE-2020-21683 (#1998594)