Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package transfig for openSUSE:Factory checked in at 2025-05-23 14:28:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/transfig (Old) and /work/SRC/openSUSE:Factory/.transfig.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "transfig" Fri May 23 14:28:04 2025 rev:62 rq:1277988 version:3.2.9a Changes: -------- --- /work/SRC/openSUSE:Factory/transfig/transfig.changes 2025-05-07 19:15:39.161169969 +0200 +++ /work/SRC/openSUSE:Factory/.transfig.new.2732/transfig.changes 2025-05-23 14:28:19.618928804 +0200 @@ -1,0 +2,18 @@ +Fri May 16 09:32:21 UTC 2025 - Dr. Werner Fink <[email protected]> + +- Work around bug in obs service + +------------------------------------------------------------------- +Fri May 16 08:18:32 UTC 2025 - Dr. Werner Fink <[email protected]> + +- Add patches in order of our bug numbers (differs to upstream) + * 192.patch -- Bug boo#1243260 (CVE-2025-46397) + fig2dev stack-overflow + * 187.patch -- Bug boo#1243261 (CVE-2025-46400) + fig2dev segmentation fault in read_arcobject + * 191.patch -- Bug boo#1243262 (CVE-2025-46398) + fig2dev stack-overflow via read_objects + * 190.patch -- Bug boo#1243263 (CVE-2025-46399) + fig2dev segmentation fault in genge_itp_spline + +------------------------------------------------------------------- @@ -347 +365 @@ - ------------------------------------------------------------ + ____________________________________________________________ @@ -921 +938,0 @@ -------------------------------------------------------------------- @@ -926 +942,0 @@ -------------------------------------------------------------------- @@ -963 +979 @@ ----------------------------------------------------------------------------- +------------------------------------------------------------------- @@ -968 +984 @@ ----------------------------------------------------------------------------- +------------------------------------------------------------------- @@ -973 +989 @@ ----------------------------------------------------------------------------- +------------------------------------------------------------------- New: ---- 187.patch 190.patch 191.patch 192.patch BETA DEBUG BEGIN: New: fig2dev stack-overflow * 187.patch -- Bug boo#1243261 (CVE-2025-46400) fig2dev segmentation fault in read_arcobject New: fig2dev stack-overflow via read_objects * 190.patch -- Bug boo#1243263 (CVE-2025-46399) fig2dev segmentation fault in genge_itp_spline New: fig2dev segmentation fault in read_arcobject * 191.patch -- Bug boo#1243262 (CVE-2025-46398) fig2dev stack-overflow via read_objects New:- Add patches in order of our bug numbers (differs to upstream) * 192.patch -- Bug boo#1243260 (CVE-2025-46397) fig2dev stack-overflow BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ transfig.spec ++++++ --- /var/tmp/diff_new_pack.BGfp1V/_old 2025-05-23 14:28:20.186952956 +0200 +++ /var/tmp/diff_new_pack.BGfp1V/_new 2025-05-23 14:28:20.190953127 +0200 @@ -32,6 +32,10 @@ Patch20: 184.patch Patch21: 185.patch Patch22: 186.patch +Patch23: 192.patch +Patch24: 187.patch +Patch25: 191.patch +Patch26: 190.patch Patch43: fig2dev-3.2.6-fig2mpdf.patch Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch Patch45: transfig-gcc14.patch @@ -78,6 +82,10 @@ %patch -P 20 -p0 %patch -P 21 -p0 %patch -P 22 -p0 +%patch -P 23 -p0 +%patch -P 24 -p0 +%patch -P 25 -p0 +%patch -P 26 -p0 %patch -P 43 -p1 -b .mpdf %patch -P 44 -p1 -b .mpdfdoc %patch -P 45 -p0 -b .gcc14 ++++++ 187.patch ++++++ commit 1e5515a1ea2ec8651cf85ab5000d026bb962492a Author: Thomas Loimer <[email protected]> Date: Thu Jan 23 21:08:43 2025 +0100 pict2e: deal with arcs with an radius of 1, #187 The pict2e driver resolves patterned arcs to a series of line segments. The line is constructed from a spline approximating a circle. For an arc radius of about 1, no line remains. Ignore such small arcs. diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c index 423032c..b55bf38 100644 --- fig2dev/dev/genpict2e.c +++ fig2dev/dev/genpict2e.c @@ -3,7 +3,7 @@ * Copyright (c) 1991 by Micah Beck * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul * Parts Copyright (c) 1989-2015 by Brian V. Smith - * Parts Copyright (c) 2015-2023 by Thomas Loimer + * Parts Copyright (c) 2015-2025 by Thomas Loimer * * Any party obtaining a copy of these files is granted, free of charge, a * full and unrestricted irrevocable, world-wide, paid up, royalty-free, @@ -19,7 +19,7 @@ /* * genpict2e.c: convert fig to pict2e macro language for LaTeX * - * Author: Thomas Loimer, 2014-2023 + * Author: Thomas Loimer, 2014-2025 * Based on the latex picture driver, genlatex.c * */ @@ -2277,8 +2277,13 @@ put_patternarc( l->join_style = MITERJOIN; p = l->points; - if (p == NULL) + for (i = 0; i < 8 && p != NULL; ++i) + p = p->next; + /* If the radius is about 1, the spline may consist of + a few points only. */ + if (i < 7) return; + p = l->points; /* * Walk along the spline, until the arc angle is covered. @@ -2428,7 +2433,7 @@ genpict2e_arc(F_arc *a) rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y) + sqrt((double)d2x*d2x + (double)d2y*d2y)); rad = round(rad*10.0) / 10.0; - /* how precise must the angle be given? + /* how precise must the angle be given? 1/rad is the view angle of one pixel */ da = 180.0 / M_PI / rad; preca = 0; commit c4465e0d9af89d9738aad31c2d0873ac1fa03c96 Author: Thomas Loimer <[email protected]> Date: Sat Jan 25 21:06:59 2025 +0100 Reject arcs with an radius smaller than 3, #187 This also reverts the previous commit, 1e5515. An arc with too small radius caused a crash in pict2e output. Instead of dealing with such arcs in the pict2e driver, reject them already when reading. diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c index b55bf38..423032c 100644 --- fig2dev/dev/genpict2e.c +++ fig2dev/dev/genpict2e.c @@ -3,7 +3,7 @@ * Copyright (c) 1991 by Micah Beck * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul * Parts Copyright (c) 1989-2015 by Brian V. Smith - * Parts Copyright (c) 2015-2025 by Thomas Loimer + * Parts Copyright (c) 2015-2023 by Thomas Loimer * * Any party obtaining a copy of these files is granted, free of charge, a * full and unrestricted irrevocable, world-wide, paid up, royalty-free, @@ -19,7 +19,7 @@ /* * genpict2e.c: convert fig to pict2e macro language for LaTeX * - * Author: Thomas Loimer, 2014-2025 + * Author: Thomas Loimer, 2014-2023 * Based on the latex picture driver, genlatex.c * */ @@ -2277,13 +2277,8 @@ put_patternarc( l->join_style = MITERJOIN; p = l->points; - for (i = 0; i < 8 && p != NULL; ++i) - p = p->next; - /* If the radius is about 1, the spline may consist of - a few points only. */ - if (i < 7) + if (p == NULL) return; - p = l->points; /* * Walk along the spline, until the arc angle is covered. @@ -2433,7 +2428,7 @@ genpict2e_arc(F_arc *a) rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y) + sqrt((double)d2x*d2x + (double)d2y*d2y)); rad = round(rad*10.0) / 10.0; - /* how precise must the angle be given? + /* how precise must the angle be given? 1/rad is the view angle of one pixel */ da = 180.0 / M_PI / rad; preca = 0; diff --git fig2dev/object.h fig2dev/object.h index 50afbf0..178d629 100644 --- fig2dev/object.h +++ fig2dev/object.h @@ -92,11 +92,14 @@ typedef struct f_ellipse { struct f_ellipse *next; } F_ellipse; +#define RADIUS2_MIN 9 #define INVALID_ELLIPSE(e) \ e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ e->radiuses.x == 0 || e->radiuses.y == 0 || \ + e->radiuses.x + e->radiuses.y < RADIUS2_MIN || \ e->angle < -7. || e->angle > 7. + /* radiuses are set to positive in read.c */ typedef struct f_arc { int type; @@ -131,7 +134,10 @@ typedef struct f_arc { (a->direction != 0 && a->direction != 1) || \ COINCIDENT(a->point[0], a->point[1]) || \ COINCIDENT(a->point[0], a->point[2]) || \ - COINCIDENT(a->point[1], a->point[2]) + COINCIDENT(a->point[1], a->point[2]) || \ + (a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) + \ + (a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) < \ + RADIUS2_MIN typedef struct f_line { int type; diff --git fig2dev/read1_3.c fig2dev/read1_3.c index 8a1a89a..1605498 100644 --- fig2dev/read1_3.c +++ fig2dev/read1_3.c @@ -3,7 +3,7 @@ * Copyright (c) 1991 by Micah Beck * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul * Parts Copyright (c) 1989-2015 by Brian V. Smith - * Parts Copyright (c) 2015-2022 by Thomas Loimer + * Parts Copyright (c) 2015-2025 by Thomas Loimer * * Any party obtaining a copy of these files is granted, free of charge, a * full and unrestricted irrevocable, world-wide, paid up, royalty-free, @@ -156,8 +156,10 @@ read_arcobject(FILE *fp) a->pen_color = a->fill_color = BLACK_COLOR; a->depth = 0; a->pen = 0; + a->fill_style = 0; a->for_arrow = NULL; a->back_arrow = NULL; + a->cap_style = 0; a->comments = NULL; a->next = NULL; n = fscanf(fp, @@ -328,6 +330,10 @@ read_ellipseobject(FILE *fp) e->type = T_CIRCLE_BY_RAD; else e->type = T_CIRCLE_BY_DIA; + if (e->radiuses.x < 0) + e->radiuses.x *= -1; + if (e->radiuses.y < 0) + e->radiuses.y *= -1; if (INVALID_ELLIPSE(e)) { put_msg(Err_invalid, "ellipse"); free(e); ++++++ 190.patch ++++++ commit 2bd6c0b210916d0d3ca81f304535b5af0849aa93 Author: Thomas Loimer <[email protected]> Date: Tue Apr 8 22:45:57 2025 +0200 ge output: correct spline computation, ticket #190 --- fig2dev/dev/genge.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- fig2dev/dev/genge.c +++ fig2dev/dev/genge.c 2025-05-16 08:15:58.678040763 +0000 @@ -229,8 +229,6 @@ genge_itp_spline(F_spline *s) int xmin, ymin; a = s->controls; - - a = s->controls; p = s->points; /* go through the points to find the last two */ for (q = p->next; q != NULL; p = q, q = q->next) { @@ -238,6 +236,7 @@ genge_itp_spline(F_spline *s) a = b; } + a = s->controls; p = s->points; fprintf(tfp, "n %d %d m\n", p->x, p->y); xmin = 999999; ++++++ 191.patch ++++++ commit 5f22009dba73922e98d49c0096cece8b215cd45b Author: Thomas Loimer <[email protected]> Date: Tue Apr 8 21:34:23 2025 +0200 Permit \0 in the second line in the fig file, #191 diff --git fig2dev/read.c fig2dev/read.c index 0ec958d..2ea18ef 100644 --- fig2dev/read.c +++ fig2dev/read.c @@ -190,7 +190,8 @@ read_objects(FILE *fp, F_compound *obj) } /* check for embedded '\0' */ - if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') { + if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 && + buf[strlen(buf) - 1] != '\n')) { put_msg("ASCII NUL ('\\0') character within the first line."); exit(EXIT_FAILURE); /* seek to the end of the first line @@ -239,7 +240,7 @@ read_objects(FILE *fp, F_compound *obj) the encoding given in the file */ if (!input_encoding && !strcmp(buf, "encoding: UTF-8\n")) { input_encoding = "UTF-8"; - } else if (buf[strlen(buf) - 1] != '\n') { + } else if (*buf == '\0' || buf[strlen(buf) - 1] != '\n') { /* seek forward to the end of the line; comments here are not mentioned by the specification, thus ignore this comment */ ++++++ 192.patch ++++++ commit dfa8b661b506a463a669754ed635b0a8eb67580e Author: Thomas Loimer <[email protected]> Date: Thu Apr 10 09:03:30 2025 +0200 Detect nan in spline control values, ticket #192 --- fig2dev/read.c | 17 +++++++++++------ fig2dev/tests/read.at | 19 +++++++++++++++++++ 2 files changed, 30 insertions(+), 6 deletions(-) --- fig2dev/read.c +++ fig2dev/read.c 2025-05-16 08:04:13.646999235 +0000 @@ -1581,12 +1581,17 @@ read_splineobject(FILE *fp, char **restr free_splinestorage(s); return NULL; } - if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || - ly > INT_MAX || rx < INT_MIN || rx > INT_MAX || - ry < INT_MIN || ry > INT_MAX) { - /* do not care to clean up, we exit anyway - cp->next = NULL; - free_splinestorage(s); */ + if ( !isfinite(lx) || lx < INT_MIN || lx > INT_MAX || + !isfinite(ly) || ly < INT_MIN || ly > INT_MAX || + !isfinite(rx) || rx < INT_MIN || rx > INT_MAX || + !isfinite(ry) || ry < INT_MIN || ry > INT_MAX) + { + + /* clean up, to pass test "reject huge spline controls + values" when -fsanitize=address is enabled */ + cp->next = NULL; + free_splinestorage(s); + free(cq); put_msg("Spline control points out of range " "at line %d.", *line_no); exit(EXIT_FAILURE); --- fig2dev/tests/read.at +++ fig2dev/tests/read.at 2025-05-16 08:07:33.111333617 +0000 @@ -608,6 +608,25 @@ EOF ]) AT_CLEANUP +AT_SETUP([reject nan in spline controls values, #192]) +AT_KEYWORDS([read.c]) +# Use an output language that does not natively support Bezier splines. +# Otherwise, the huge values are simply copied to the output. +AT_CHECK([fig2dev -L epic <<EOF +#FIG 3.1 +Landscape +Center +Metric +1200 2 +3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2 + 0 0 1200 0 + 600 600 600 nan + 600 600 600 600 +EOF +], 1, ignore, [Spline control points out of range at line 8. +]) +AT_CLEANUP + AT_BANNER([Dynamically allocate picture file name.]) AT_SETUP([prepend fig file path to picture file name])
