Hi Salvatore! On Wed, 30 Apr 2025, Salvatore Bonaccorso wrote:
> FWIW, the CVEs have been rejected in meanwhile as there is no real > security impact. I think still it is worth you might upload your > package for the upcoming point release, but please drop the CVE id > mentionings. Okay, I renamed the patches to their names from sid/trixie and removed the CVE references from the patches and from debian/changelog. An updated debdiff is attached. The updated salsa pipeline is at https://salsa.debian.org/debian/fig2dev/-/pipelines/861650 Everything else didn't change since the initial bugreport. A diff against the initial bug report can be found in https://salsa.debian.org/debian/fig2dev/-/commit/792b63860a7e4bdc6199da9e049cc617512c44b9 Greetings Roland
diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog --- fig2dev-3.2.8b/debian/changelog 2025-03-28 22:51:19.000000000 +0100 +++ fig2dev-3.2.8b/debian/changelog 2025-05-05 20:01:51.000000000 +0200 @@ -1,3 +1,13 @@ +fig2dev (1:3.2.8b-3+deb12u2) bookworm; urgency=medium + + * Fix the following seg-faults/stack-overflows: + * 41_nan-spline: Detect nan in spline control values. + * 42_zero2ndline: Permit \0 in 2nd line in fig file. + * 43_ge-spline: ge output: correct spline computation. + * 44_arcradius3: Reject arcs with a radius smaller than 3. + + -- Roland Rosenfeld <rol...@debian.org> Mon, 05 May 2025 20:01:51 +0200 + fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium * 38_CVE-2025-31162: Reject huge pattern lengths. diff -Nru fig2dev-3.2.8b/debian/patches/41_nan-spline.patch fig2dev-3.2.8b/debian/patches/41_nan-spline.patch --- fig2dev-3.2.8b/debian/patches/41_nan-spline.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/41_nan-spline.patch 2025-05-05 20:01:51.000000000 +0200 @@ -0,0 +1,51 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Thu, 10 Apr 2025 09:03:30 +0200 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b66 +Bug: https://sourceforge.net/p/mcj/tickets/192/ +Forwarded: not-needed +Subject: Detect nan in spline control values, ticket #192 + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -1469,8 +1469,11 @@ read_splineobject(FILE *fp, char **restr + free_splinestorage(s); + return NULL; + } +- if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX || +- rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) { ++ if ( !isfinite(lx) || lx < INT_MIN || lx > INT_MAX || ++ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX || ++ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX || ++ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX) ++ { + /* do not care to clean up, we exit anyway + cp->next = NULL; + free_splinestorage(s); */ +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -581,6 +581,25 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([reject nan in spline controls values, #192]) ++AT_KEYWORDS([read.c]) ++# Use an output language that does not natively support Bezier splines. ++# Otherwise, the huge values are simply copied to the output. ++AT_CHECK([fig2dev -L epic <<EOF ++#FIG 3.1 ++Landscape ++Center ++Metric ++1200 2 ++3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2 ++ 0 0 1200 0 ++ 600 600 600 nan ++ 600 600 600 600 ++EOF ++], 1, ignore, [Spline control points out of range at line 8. ++]) ++AT_CLEANUP ++ + AT_BANNER([Dynamically allocate picture file name.]) + + AT_SETUP([prepend fig file path to picture file name]) diff -Nru fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch --- fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/42_zero2ndline.patch 2025-05-05 20:01:51.000000000 +0200 @@ -0,0 +1,19 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Tue, 8 Apr 2025 21:34:23 +0200 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/5f22009 +Bug: https://sourceforge.net/p/mcj/tickets/191/ +Forwarded: not-needed +Subject: Permit \0 in the second line in the fig file, #191 + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -181,7 +181,8 @@ read_objects(FILE *fp, F_compound *obj) + } + + /* check for embedded '\0' */ +- if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') { ++ if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 && ++ buf[strlen(buf) - 1] != '\n')) { + put_msg("ASCII NUL ('\\0') character within the first line."); + exit(EXIT_FAILURE); + /* seek to the end of the first line diff -Nru fig2dev-3.2.8b/debian/patches/43_ge-spline.patch fig2dev-3.2.8b/debian/patches/43_ge-spline.patch --- fig2dev-3.2.8b/debian/patches/43_ge-spline.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/43_ge-spline.patch 2025-05-05 20:01:51.000000000 +0200 @@ -0,0 +1,26 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Tue, 8 Apr 2025 22:45:57 +0200 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b +Bug: https://sourceforge.net/p/mcj/tickets/190/ +Forwarded: not-needed +Subject: ge output: correct spline computation, ticket #190 + +--- a/fig2dev/dev/genge.c ++++ b/fig2dev/dev/genge.c +@@ -229,8 +229,6 @@ genge_itp_spline(F_spline *s) + int xmin, ymin; + + a = s->controls; +- +- a = s->controls; + p = s->points; + /* go through the points to find the last two */ + for (q = p->next; q != NULL; p = q, q = q->next) { +@@ -238,6 +236,7 @@ genge_itp_spline(F_spline *s) + a = b; + } + ++ a = s->controls; + p = s->points; + fprintf(tfp, "n %d %d m\n", p->x, p->y); + xmin = 999999; diff -Nru fig2dev-3.2.8b/debian/patches/44_arcradius3.patch fig2dev-3.2.8b/debian/patches/44_arcradius3.patch --- fig2dev-3.2.8b/debian/patches/44_arcradius3.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/44_arcradius3.patch 2025-05-05 20:01:51.000000000 +0200 @@ -0,0 +1,63 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Sat, 25 Jan 2025 21:06:59 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0 +Bug: https://sourceforge.net/p/mcj/tickets/187/ +Forwarded: not-needed +Subject: Reject arcs with a radius smaller than 3, #187 + An arc with too small radius caused a crash in pict2e output. Instead + of dealing with such arcs in the pict2e driver, reject them already + when reading. + +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -92,11 +92,14 @@ typedef struct f_ellipse { + struct f_ellipse *next; + } F_ellipse; + ++#define RADIUS2_MIN 9 + #define INVALID_ELLIPSE(e) \ + e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ + COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ + e->radiuses.x == 0 || e->radiuses.y == 0 || \ ++ e->radiuses.x + e->radiuses.y < RADIUS2_MIN || \ + e->angle < -7. || e->angle > 7. ++ /* radiuses are set to positive in read.c */ + + typedef struct f_arc { + int type; +@@ -131,7 +134,10 @@ typedef struct f_arc { + (a->direction != 0 && a->direction != 1) || \ + COINCIDENT(a->point[0], a->point[1]) || \ + COINCIDENT(a->point[0], a->point[2]) || \ +- COINCIDENT(a->point[1], a->point[2]) ++ COINCIDENT(a->point[1], a->point[2]) || \ ++ (a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) + \ ++ (a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) < \ ++ RADIUS2_MIN + + typedef struct f_line { + int type; +--- a/fig2dev/read1_3.c ++++ b/fig2dev/read1_3.c +@@ -157,8 +157,10 @@ read_arcobject(FILE *fp) + a->pen_color = a->fill_color = BLACK_COLOR; + a->depth = 0; + a->pen = 0; ++ a->fill_style = 0; + a->for_arrow = NULL; + a->back_arrow = NULL; ++ a->cap_style = 0; + a->comments = NULL; + a->next = NULL; + n = fscanf(fp, +@@ -329,6 +331,10 @@ read_ellipseobject(FILE *fp) + e->type = T_CIRCLE_BY_RAD; + else + e->type = T_CIRCLE_BY_DIA; ++ if (e->radiuses.x < 0) ++ e->radiuses.x *= -1; ++ if (e->radiuses.y < 0) ++ e->radiuses.y *= -1; + if (INVALID_ELLIPSE(e)) { + put_msg(Err_invalid, "ellipse"); + free(e); diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series --- fig2dev-3.2.8b/debian/patches/series 2025-03-28 22:51:19.000000000 +0100 +++ fig2dev-3.2.8b/debian/patches/series 2025-05-05 20:01:51.000000000 +0200 @@ -10,3 +10,7 @@ 38_CVE-2025-31162.patch 39_CVE-2025-31163.patch 40_CVE-2025-31164.patch +41_nan-spline.patch +42_zero2ndline.patch +43_ge-spline.patch +44_arcradius3.patch
