Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
I prepared an update for fig2dev 1:3.2.8-3 to deb11u1, which fixes CVE-2021-37529 and CVE-2021-37530. Additionally it fixes an annoying bug that breaks EPS import (this bug was a typo with x and y). Last I added a mechanism, that rebuilds the testsuite (used at build time as well as in autopkgtest) to activate the tests that are added by the above patches. The salsa pipeline succeeded on this (except reprotest and crossbuild): https://salsa.debian.org/debian/fig2dev/-/pipelines/415604 [ Risks ] The patches are backported from upstream code and not too complex. The CVE patches come with test cases, that check their correctness. The eps import patch is trivial to check (only one char was wrong). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable A diff against 3.2.8-3 (bullseye) is attached. Greetings Roland
diff --git a/debian/changelog b/debian/changelog index 8954565..a1bcec3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +fig2dev (1:3.2.8-3+deb11u1) bullseye; urgency=medium + + * Rebuild testsuite during build and in autopkgtest. + * 34_epsimport: Stop misplacement of embedded eps images. + * Adapt salsa CI pipeline to bullseye release. + * 35_CVE-2021-37529: Allow long names for non-existing images. + * 36_CVE-2021-37530: Avoid a segfault for non-existing image names. + + -- Roland Rosenfeld <rol...@debian.org> Fri, 26 Aug 2022 12:30:59 +0200 + fig2dev (1:3.2.8-3) unstable; urgency=medium * 30_arrow-poly: Remove arrows from polygon with single point. diff --git a/debian/patches/34_epsimport.patch b/debian/patches/34_epsimport.patch new file mode 100644 index 0000000..84426b4 --- /dev/null +++ b/debian/patches/34_epsimport.patch @@ -0,0 +1,18 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Tue, 28 Sep 2021 21:58:41 +0200 +Bug: https://sourceforge.net/p/mcj/tickets/137/ +Origin: https://sourceforge.net/p/mcj/fig2dev/ci/1b09a885a8f0309bf1170ddcf07673801c79f895/ +Applied-Upstream: commit:1b09a885a8f0309bf1170ddcf07673801c79f895 +Subject: [PATCH] Correct a typo causing incorrect eps import, #137 + +--- a/fig2dev/dev/readeps.c ++++ b/fig2dev/dev/readeps.c +@@ -345,7 +345,7 @@ read_eps(F_pic *pic, struct xfig_stream + } + *llx = floor(rllx); + *lly = floor(rlly); +- pic->bit_size.x = (int)(rurx - rlly); ++ pic->bit_size.x = (int)(rurx - rllx); + pic->bit_size.y = (int)(rury - rlly); + break; + } diff --git a/debian/patches/35_CVE-2021-37529.patch b/debian/patches/35_CVE-2021-37529.patch new file mode 100644 index 0000000..3e977f4 --- /dev/null +++ b/debian/patches/35_CVE-2021-37529.patch @@ -0,0 +1,68 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Tue Jul 20 00:23:47 2021 +0200 +Bug: https://sourceforge.net/p/mcj/tickets/125/ +Origin: https://sourceforge.net/p/mcj/fig2dev/ci/899ea1277387ca9e9853bf61d29b7419d5692691 +Subject: Allow long names for non-existing images, #125 + This fixes CVE-2021-37529 + + On freeing the memory for the long file names, a double free() happened, + see ticket #125. + + In addition, do not allocate twice to the same pointer (*found), thus + leaking memory. + +--- a/fig2dev/dev/readpics.c ++++ b/fig2dev/dev/readpics.c +@@ -55,13 +55,19 @@ free_stream(struct xfig_stream *restrict + err_msg("Cannot remove temporary file %s", + xf_stream->content); + } +- if (xf_stream->content != xf_stream->content_buf) ++ if (xf_stream->content != xf_stream->content_buf) { + free(xf_stream->content); ++ xf_stream->content = xf_stream->content_buf; ++ } + } +- if (xf_stream->name != xf_stream->name_buf) ++ if (xf_stream->name != xf_stream->name_buf) { + free(xf_stream->name); +- if (xf_stream->name_on_disk != xf_stream->name_on_disk_buf) ++ xf_stream->name = xf_stream->name_buf; ++ } ++ if (xf_stream->name_on_disk != xf_stream->name_on_disk_buf) { + free(xf_stream->name_on_disk); ++ xf_stream->name_on_disk = xf_stream->name_on_disk_buf; ++ } + } + + /* +@@ -124,8 +130,9 @@ file_on_disk(char *restrict name, char * + if (stat(name, &status)) { + /* File not found. Now try, whether a file with one of + the known suffices appended exists. */ +- if (len < name_len + FILEONDISK_ADD && (*found = +- malloc(name_len + FILEONDISK_ADD)) == NULL) { ++ if (len > name_len && len < name_len + FILEONDISK_ADD && ++ (*found = malloc(name_len + FILEONDISK_ADD)) ++ == NULL) { + put_msg(Err_mem); + return -1; + } +--- a/fig2dev/tests/input.at ++++ b/fig2dev/tests/input.at +@@ -137,4 +137,15 @@ AT_CHECK([$SED "11 s%line%$abs_srcdir/da + ],0,ignore) + AT_CLEANUP + ++AT_SETUP([long image name, non-existing file, ticket #125]) ++AT_KEYWORDS(readpics) ++AT_CHECK([fig2dev -Leps <<EOF ++FIG_FILE_TOP ++2 5 0 1 0 -1 50 -1 -1 0.0 0 0 -1 0 0 5 ++ 0 use a file name that does not exist and is at least 128 characters long - this triggered a bug whereupon the string buffer was freed two times ++ 0 0 100 0 100 60 0 60 0 0 ++EOF ++],0,ignore,ignore) ++AT_CLEANUP ++ + m4_undefine([NO_GZIP]) diff --git a/debian/patches/36_CVE-2021-37530.patch b/debian/patches/36_CVE-2021-37530.patch new file mode 100644 index 0000000..960de31 --- /dev/null +++ b/debian/patches/36_CVE-2021-37530.patch @@ -0,0 +1,40 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Tue Jul 20 00:36:12 2021 +0200 +Bug: https://sourceforge.net/p/mcj/tickets/126/ +Origin: https://sourceforge.net/p/mcj/fig2dev/ci/ff103511e49c44c83fc58e2092aa37e9019a3a9f/ +Subject: Avoid a segfault for non-existing image names, #126 + This fixes CVE-2021-37530 + + Before this commit, a name with a compression suffix, referring to a + non-existing image file, would cause a segfault. + +--- a/fig2dev/dev/readpics.c ++++ b/fig2dev/dev/readpics.c +@@ -219,7 +219,7 @@ open_stream(char *restrict name, struct + return NULL; + } + +- if (*xf_stream->uncompress) { ++ if (xf_stream->uncompress && *xf_stream->uncompress) { + /* a compressed file */ + char command_buf[256]; + char *command = command_buf; +--- a/fig2dev/tests/input.at ++++ b/fig2dev/tests/input.at +@@ -148,4 +148,16 @@ EOF + ],0,ignore,ignore) + AT_CLEANUP + ++AT_SETUP([non-existing file with suffix (.Z), ticket #126]) ++AT_KEYWORDS(readpics) ++AT_CHECK([fig2dev -Leps <<EOF ++FIG_FILE_TOP ++2 5 0 1 0 -1 50 -1 -1 0.0 0 0 -1 0 0 5 ++ 0 non-existing.Z ++ 0 0 100 0 100 60 0 60 0 0 ++EOF ++],0,ignore,[No such picture file: non-existing.Z ++]) ++AT_CLEANUP ++ + m4_undefine([NO_GZIP]) diff --git a/debian/patches/series b/debian/patches/series index 0ab760a..bb740cf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,6 @@ 31_trunc-subsuper.patch 32_arrow-point.patch 33_sanitize-color.patch +34_epsimport.patch +35_CVE-2021-37529.patch +36_CVE-2021-37530.patch diff --git a/debian/rules b/debian/rules index 95f1756..6f1ddc1 100755 --- a/debian/rules +++ b/debian/rules @@ -29,7 +29,11 @@ override_dh_auto_build: # preserve some files from upstream tarball: tar cf debian/preserve.tar fig2dev/config.vc \ fig2dev/tests/data/fillswclip.svg \ - fig2dev/tests/data/patterns.svg transfig/doc/manual.pdf + fig2dev/tests/data/patterns.svg transfig/doc/manual.pdf \ + fig2dev/tests/testsuite + +# rebuild testsuite: + (cd fig2dev/tests; rm -f testsuite; make testsuite) dh_auto_build diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 892f3cd..4e57130 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -1,3 +1,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye' diff --git a/debian/tests/fig2dev-testsuite b/debian/tests/fig2dev-testsuite index 8998617..be31ef2 100755 --- a/debian/tests/fig2dev-testsuite +++ b/debian/tests/fig2dev-testsuite @@ -10,6 +10,11 @@ echo "Running dh_auto_configure" dh_auto_configure 2>&1 cd fig2dev/tests + +echo "Rebuild testsuite" +rm -f testsuite +make testsuite + echo "Building required test programs" make check 2>&1 || true
signature.asc
Description: PGP signature
