Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: fig2...@packages.debian.org Control: affects -1 + src:fig2dev
[ Reason ] This fixes CVE-2025-31162, CVE-2025-31163, CVE-2025-31164 (segmentation faults in the pict2e driver of fig2dev). [ Impact ] Segmentation faults with some special cases and a minor security issue. [ Tests ] salsa-ci passed except reprotest (this seems to build the package with sid instead of bookworm, with uses a newer different ghostscript version, resulting in a slightly different gray rastering with two more dots in an example, so one test in the testsuite fails): https://salsa.debian.org/debian/fig2dev/-/pipelines/840929 The patches for CVE-2025-31163 and CVE-2025-31164 add new test cases (for these bugs) which run successfully. [ Risks ] Hopefully none... [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - fix for CVE-2025-31162 - fix for CVE-2025-31163 - fix for CVE-2025-31164 - Change in debian/salsa-ci.yml to build with bookworm instead of sid [ Other info ] I was asked by Salvatore Bonaccorso <car...@debian.org> from the security team to upload this to the next point release instead of fixing via DSA, because of the low severity of the CVEs. Greetings Roland
diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog --- fig2dev-3.2.8b/debian/changelog 2022-09-20 17:24:07.000000000 +0200 +++ fig2dev-3.2.8b/debian/changelog 2025-03-28 22:51:19.000000000 +0100 @@ -1,3 +1,11 @@ +fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium + + * 38_CVE-2025-31162: Reject huge pattern lengths. + * 39_CVE-2025-31163: Reject arcs with co-incident points. + * 40_CVE-2025-31164: Allow an arc-box with zero radius. + + -- Roland Rosenfeld <rol...@debian.org> Fri, 28 Mar 2025 22:51:19 +0100 + fig2dev (1:3.2.8b-3) unstable; urgency=medium [ Roland Rosenfeld ] diff -Nru fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch --- fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch 2025-03-28 22:51:19.000000000 +0100 @@ -0,0 +1,27 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Wed, 22 Jan 2025 23:18:54 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/da8992f +Bug: https://sourceforge.net/p/mcj/tickets/185/ +Forwarded: not-needed +Subject: Reject huge pattern lengths, ticket #185 + Reject patterned lines, e.g., dashed lines, where the pattern length exceeds + 80 inches. + This fixes CVE-2025-31162 + +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -57,12 +57,13 @@ typedef struct f_comment { + struct f_comment *next; + } F_comment; + ++#define STYLE_VAL_MAX 6400.0 /* dash length 80 inches, that is enough */ + #define COMMON_PROPERTIES(o) \ + o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \ + o->thickness < 0 || o->depth < 0 || o->depth > 999 || \ + o->fill_style < UNFILLED || \ + o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \ +- o->style_val < 0.0 ++ o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX + + typedef struct f_ellipse { + int type; diff -Nru fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch --- fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch 2025-03-28 22:51:19.000000000 +0100 @@ -0,0 +1,62 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Wed, 22 Jan 2025 23:27:43 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c8a87d2 +Bug: https://sourceforge.net/p/mcj/tickets/186/ +Forwarded: not-needed +Subject: Reject arcs with co-incident points, ticket #186 + This fixes CVE-2025-31163. + +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -92,10 +92,10 @@ typedef struct f_ellipse { + struct f_ellipse *next; + } F_ellipse; + +-#define INVALID_ELLIPSE(e) \ ++#define INVALID_ELLIPSE(e) \ + e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ +- COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ +- e->radiuses.x == 0 || e->radiuses.y == 0 || \ ++ COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ ++ e->radiuses.x == 0 || e->radiuses.y == 0 || \ + e->angle < -7. || e->angle > 7. + + typedef struct f_arc { +@@ -122,12 +122,16 @@ typedef struct f_arc { + struct f_arc *next; + } F_arc; + +-#define INVALID_ARC(a) \ ++#define COINCIDENT(a, b) (a.x == b.x && a.y == b.y) ++#define INVALID_ARC(a) \ + a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC || \ + COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 || \ + a->center.x < COORD_MIN || a->center.x > COORD_MAX || \ + a->center.y < COORD_MIN || a->center.y > COORD_MAX || \ +- (a->direction != 0 && a->direction != 1) ++ (a->direction != 0 && a->direction != 1) || \ ++ COINCIDENT(a->point[0], a->point[1]) || \ ++ COINCIDENT(a->point[0], a->point[2]) || \ ++ COINCIDENT(a->point[1], a->point[2]) + + typedef struct f_line { + int type; +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -223,6 +223,16 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([reject arcs with coincident points, ticket #186]) ++AT_KEYWORDS(read.c arc) ++AT_CHECK([fig2dev -L pict2e <<EOF ++FIG_FILE_TOP ++5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0 ++EOF ++], 1, ignore, [Invalid arc object at line 10. ++]) ++AT_CLEANUP ++ + AT_SETUP([survive debian bugs #881143, #881144]) + AT_KEYWORDS([font pic tikz]) + AT_CHECK([fig2dev -L pic <<EOF diff -Nru fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch --- fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch 2025-03-28 22:51:19.000000000 +0100 @@ -0,0 +1,48 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Tue, 21 Jan 2025 20:50:15 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/ff9aba2 +Forwarded: not-needed +Bug: https://sourceforge.net/p/mcj/tickets/184/ +Subject: Allow an arc-box with zero radius, ticket #184 + In the pict2e output, a rectangle with rounded corners, dashed line type and + zero corner-radius would cause a crash. Convert rectangles with rounded + corners and zero corner-radius to regular rectangles. + This fixes CVE-2025-31164. + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -960,6 +960,14 @@ sanitize_lineobject( + return 0; + } + ++ if (l->type == T_ARC_BOX && l->radius == 0) { ++ put_msg("A %s, but zero corner radius " ++ "at line %d - convert " ++ "to a rectangle.", ++ obj_name[l->type - 2], ++ line_no); ++ l->type = T_BOX; ++ } + if ((l->type == T_BOX || l->type == T_POLYGON || + l->type == T_ARC_BOX || l->type == T_PIC_BOX) && + l->points->next && l->points->next->next && +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -109,6 +109,17 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([convert an arc-box with zero radius to a box]) ++AT_KEYWORDS(read.c arc-box) ++AT_CHECK([fig2dev -L pict2e <<EOF ++FIG_FILE_TOP ++2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5 ++ 0 0 300 0 300 300 0 300 0 0 ++EOF ++],0,ignore,[A rectangle with rounded corners, but zero corner radius at line 11 - convert to a rectangle. ++]) ++AT_CLEANUP ++ + AT_SETUP([fail on a malformed arc-box]) + AT_KEYWORDS(read.c malformed arc-box) + AT_CHECK([fig2dev -L pict2e <<EOF diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series --- fig2dev-3.2.8b/debian/patches/series 2022-09-20 17:24:07.000000000 +0200 +++ fig2dev-3.2.8b/debian/patches/series 2025-03-28 22:51:19.000000000 +0100 @@ -7,3 +7,6 @@ 35_pict2e_output.patch 36_arrowhead.patch 37_arrow2point.patch +38_CVE-2025-31162.patch +39_CVE-2025-31163.patch +40_CVE-2025-31164.patch diff -Nru fig2dev-3.2.8b/debian/salsa-ci.yml fig2dev-3.2.8b/debian/salsa-ci.yml --- fig2dev-3.2.8b/debian/salsa-ci.yml 2022-09-20 17:24:07.000000000 +0200 +++ fig2dev-3.2.8b/debian/salsa-ci.yml 2025-03-28 22:51:19.000000000 +0100 @@ -1,3 +1,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm'
