fix buffer overflow on loading a malformed .fig file (CVE-2009-4227)

transfig-3.2.5d-CVE-2009-4227.patch

@@ -0,0 +1,25 @@
+From 824eff7e2ce2b1a64ec1406a04aeedf10456e9da Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 9 Aug 2012 16:46:34 +0200
+Subject: [PATCH] read_textobject: limit the input when reading to a fixed-size buffer
+
+---
+ fig2dev/read1_3.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/fig2dev/read1_3.c b/fig2dev/read1_3.c
+index 28951e8..5b9d770 100644
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -451,7 +451,7 @@ FILE	*fp;
+ 	t->pen = 0;
+ 	t->angle = 0.0;
+ 	t->next = NULL;
+-	n = fscanf(fp," %d %lf %d %lf %lf %d %d %[^\n]", &t->font, 
++	n = fscanf(fp," %d %lf %d %lf %lf %d %d %127[^\n]", &t->font, 
+ 		&t->size, &t->flags, &t->height, &t->length, 
+ 		&t->base_x, &t->base_y, buf);
+ 	if (n != 8) {
+-- 
+1.7.1
+

transfig.spec

@@ -1,7 +1,7 @@
 Summary: Utility for converting FIG files (made by xfig) to other formats
 Name: transfig
 Version: 3.2.5d
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 1
 License: MIT
 URL: http://www.xfig.org/
@@ -13,6 +13,7 @@ Patch1: transfig-3.2.5-modularX.patch
 Patch2: transfig-3.2.5-bitmap.patch
 Patch3: transfig-3.2.5d-bz728825.patch
 Patch4: transfig-3.2.5-libpng.patch
+Patch5: transfig-3.2.5d-CVE-2009-4227.patch
 
 Requires:	ghostscript
 Requires:	bc
@@ -42,6 +43,7 @@ figures into certain graphics languages.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1 -b .libpng
+%patch5 -p1
 
 # fix source permissions
 find -type f -exec chmod -x {} \;
@@ -79,6 +81,9 @@ rm -rf %{buildroot}
 %{_datadir}/fig2dev
 
 %changelog
+* Thu Aug 09 2012 Kamil Dudka <kdudka@redhat.com> - 1:3.2.5d-8
+- fix buffer overflow on loading a malformed .fig file (CVE-2009-4227)
+
 * Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.2.5d-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild