Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package transfig for openSUSE:Factory
checked in at 2025-05-07 19:15:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/transfig (Old)
and /work/SRC/openSUSE:Factory/.transfig.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "transfig"
Wed May 7 19:15:03 2025 rev:61 rq:1274933 version:3.2.9a
Changes:
--------
--- /work/SRC/openSUSE:Factory/transfig/transfig.changes 2025-01-15
17:42:07.818023281 +0100
+++ /work/SRC/openSUSE:Factory/.transfig.new.30101/transfig.changes
2025-05-07 19:15:39.161169969 +0200
@@ -1,0 +2,14 @@
+Tue Apr 29 12:01:57 UTC 2025 - Dr. Werner Fink <wer...@suse.de>
+
+- Add patches
+ * 184.patch -- Bug boo#1240379 (CVE-2025-31164)
+ heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker
+ to availability via local input manipulation via create_line_with_spline
+ * 185.patch -- Bug boo#1240380 (CVE-2025-31162)
+ Floating point exception in fig2dev in version 3.2.9a allows an attacker
+ to availability via local input manipulation via get_slope function
+ * 186.patch -- Bug boo#1240381 (CVE-2025-31163)
+ Segmentation fault in fig2dev in version 3.2.9a allows an attacker to
+ availability via local input manipulation via put_patternarc function
+
+-------------------------------------------------------------------
New:
----
184.patch
185.patch
186.patch
BETA DEBUG BEGIN:
New:- Add patches
* 184.patch -- Bug boo#1240379 (CVE-2025-31164)
heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker
New: to availability via local input manipulation via
create_line_with_spline
* 185.patch -- Bug boo#1240380 (CVE-2025-31162)
Floating point exception in fig2dev in version 3.2.9a allows an attacker
New: to availability via local input manipulation via get_slope function
* 186.patch -- Bug boo#1240381 (CVE-2025-31163)
Segmentation fault in fig2dev in version 3.2.9a allows an attacker to
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ transfig.spec ++++++
--- /var/tmp/diff_new_pack.GHnkm6/_old 2025-05-07 19:15:41.669274734 +0200
+++ /var/tmp/diff_new_pack.GHnkm6/_new 2025-05-07 19:15:41.669274734 +0200
@@ -24,11 +24,14 @@
URL: https://mcj.sourceforge.net/
License: MIT
Group: Productivity/Graphics/Convertors
-#Source:
http://sourceforge.net/projects/mcj/files/fig2dev-%%{version}.tar.xz/download#/fig2dev-%%{version}.tar.xz
+#Source:
https://sourceforge.net/projects/mcj/files/fig2dev-%%{version}.tar.xz/download#/fig2dev-%%{version}.tar.xz
Source: fig2dev-%{version}.tar.xz
Patch0: transfig-3.2.9.dif
Patch1: transfig-gs10.03.patch
Patch4: transfig-fix-afl.patch
+Patch20: 184.patch
+Patch21: 185.patch
+Patch22: 186.patch
Patch43: fig2dev-3.2.6-fig2mpdf.patch
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
Patch45: transfig-gcc14.patch
@@ -72,6 +75,9 @@
%patch -P 0 -p0 -b .p0
%patch -P 1 -p0 -b .p1
%patch -P 4 -p1 -b .afl
+%patch -P 20 -p0
+%patch -P 21 -p0
+%patch -P 22 -p0
%patch -P 43 -p1 -b .mpdf
%patch -P 44 -p1 -b .mpdfdoc
%patch -P 45 -p0 -b .gcc14
++++++ 184.patch ++++++
>From ff9aba206a30288f456dfc91584a52ba9927b438 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
Date: Tue, 21 Jan 2025 20:50:15 +0100
Subject: [PATCH] Allow an arc-box with zero radius, ticket #184
In the pict2e output, a rectangle with rounded corners,
dashed line type and zero corner-radius would cause a crash.
Convert rectangles with rounded corners and zero corner-radius to
regular rectangles.
---
fig2dev/read.c | 8 ++++++++
fig2dev/tests/read.at | 11 +++++++++++
2 files changed, 19 insertions(+)
diff --git fig2dev/read.c fig2dev/read.c
index 387527b..f643f7e 100644
--- fig2dev/read.c
+++ fig2dev/read.c
@@ -1037,6 +1037,14 @@ sanitize_lineobject(F_line *l, int line_no)
line_no);
return -1;
}
+ if (l->type == T_ARC_BOX && l->radius == 0) {
+ put_msg("A %s, but zero corner radius "
+ "at line %d - convert "
+ "to a rectangle.",
+ obj_name[l->type - 2],
+ line_no);
+ l->type = T_BOX;
+ }
}
} else { /* T_BOX || T_POLYGON */
diff --git fig2dev/tests/read.at fig2dev/tests/read.at
index 588424d..1b4baea 100644
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at
@@ -123,6 +123,17 @@ A rectangle with 3 corners at line 11 - convert to a
polygon.
])
AT_CLEANUP
+AT_SETUP([convert an arc-box with zero radius to a box])
+AT_KEYWORDS(read.c arc-box)
+AT_CHECK([fig2dev -L pict2e <<EOF
+FIG_FILE_TOP
+2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5
+ 0 0 300 0 300 300 0 300 0 0
+EOF
+],0,ignore,[A rectangle with rounded corners, but zero corner radius at line
11 - convert to a rectangle.
+])
+AT_CLEANUP
+
AT_SETUP([fail on a malformed arc-box])
AT_KEYWORDS(read.c malformed arc-box)
AT_CHECK([fig2dev -L pict2e <<EOF
--
2.35.3
++++++ 185.patch ++++++
>From da8992f44b84a337b4edaa67fc8b36b55eaef696 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
Date: Wed, 22 Jan 2025 23:18:54 +0100
Subject: [PATCH] Reject huge pattern lengths, ticket #185
Reject patterned lines, e.g., dashed lines, where the
pattern length exceeds 80 inches.
---
fig2dev/object.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git fig2dev/object.h fig2dev/object.h
index 29f5a62..7f83939 100644
--- fig2dev/object.h
+++ fig2dev/object.h
@@ -57,12 +57,13 @@ typedef struct f_comment {
struct f_comment *next;
} F_comment;
+#define STYLE_VAL_MAX 6400.0 /* dash length 80 inches, that is
enough */
#define COMMON_PROPERTIES(o) \
o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \
o->thickness < 0 || o->depth < 0 || o->depth > 999 || \
o->fill_style < UNFILLED || \
o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \
- o->style_val < 0.0
+ o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX
typedef struct f_ellipse {
int type;
--
2.35.3
++++++ 186.patch ++++++
>From c8a87d22036e62bac0c6f7836078d8103caa6457 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
Date: Wed, 22 Jan 2025 23:27:43 +0100
Subject: [PATCH] Reject arcs with co-incident points, ticket #186
---
fig2dev/object.h | 16 ++++++++++------
fig2dev/tests/read.at | 14 ++++++++++++--
2 files changed, 22 insertions(+), 8 deletions(-)
--- fig2dev/object.h
+++ fig2dev/object.h 2025-04-29 11:58:54.335653487 +0000
@@ -3,7 +3,7 @@
* Copyright (c) 1991 by Micah Beck
* Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
* Parts Copyright (c) 1989-2015 by Brian V. Smith
- * Parts Copyright (c) 2015-2023 by Thomas Loimer
+ * Parts Copyright (c) 2015-2025 by Thomas Loimer
*
* Any party obtaining a copy of these files is granted, free of charge, a
* full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -92,10 +92,10 @@ typedef struct f_ellipse {
struct f_ellipse *next;
} F_ellipse;
-#define INVALID_ELLIPSE(e) \
+#define INVALID_ELLIPSE(e) \
e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \
- COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
- e->radiuses.x == 0 || e->radiuses.y == 0 || \
+ COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+ e->radiuses.x == 0 || e->radiuses.y == 0 || \
e->angle < -7. || e->angle > 7.
typedef struct f_arc {
@@ -122,12 +122,16 @@ typedef struct f_arc {
struct f_arc *next;
} F_arc;
-#define INVALID_ARC(a) \
+#define COINCIDENT(a, b) (a.x == b.x && a.y == b.y)
+#define INVALID_ARC(a) \
a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC || \
COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 || \
a->center.x < COORD_MIN || a->center.x > COORD_MAX || \
a->center.y < COORD_MIN || a->center.y > COORD_MAX || \
- (a->direction != 0 && a->direction != 1)
+ (a->direction != 0 && a->direction != 1) || \
+ COINCIDENT(a->point[0], a->point[1]) || \
+ COINCIDENT(a->point[0], a->point[2]) || \
+ COINCIDENT(a->point[1], a->point[2])
typedef struct f_line {
int type;
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at 2025-04-29 11:58:54.335653487 +0000
@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
dnl Copyright (c) 1991 by Micah Beck
dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
-dnl Parts Copyright (c) 2015-2024 by Thomas Loimer
+dnl Parts Copyright (c) 2015-2025 by Thomas Loimer
dnl
dnl Any party obtaining a copy of these files is granted, free of charge, a
dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -14,7 +14,7 @@ dnl party to do so, with the only requir
dnl and this permission notice remain intact.
dnl read.at
-dnl Author: Thomas Loimer, 2017-2024
+dnl Author: Thomas Loimer, 2017-2025
AT_BANNER([Sanitize and harden input.])
@@ -246,6 +246,16 @@ FIG_FILE_TOP
EOF
], 1, ignore, [Invalid arc object at line 10.
])
+AT_CLEANUP
+
+AT_SETUP([reject arcs with coincident points, ticket #186])
+AT_KEYWORDS(read.c arc)
+AT_CHECK([fig2dev -L pict2e <<EOF
+FIG_FILE_TOP
+5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0
+EOF
+], 1, ignore, [Invalid arc object at line 10.
+])
AT_CLEANUP
AT_SETUP([survive debian bugs #881143, #881144])
