Bug#987894: unblock: fig2dev/1:3.2.8-3

[Roland Rosenfeld]

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package fig2dev

This new version consists of four small security related patches
provided by upstream author, that fix some buffer overflows and null
pointer.

I hoped, that the package would be migrated after 20 day, but just
noted, that it is blocked because it is a key package (according to
popcon), so please unblock the migration before the release.

A diff from 3.2.8-2 is attached.

Greetings
Roland

unblock fig2dev/1:3.2.8-3

diff -Nru fig2dev-3.2.8/debian/changelog fig2dev-3.2.8/debian/changelog
--- fig2dev-3.2.8/debian/changelog	2021-02-06 12:59:35.000000000 +0100
+++ fig2dev-3.2.8/debian/changelog	2021-04-30 11:28:30.000000000 +0200
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.8-3) unstable; urgency=medium
+
+  * 30_arrow-poly: Remove arrows from polygon with single point.
+  * 31_trunc-subsuper: Allow truncated sub/superscripts in text.
+  * 32_arrow-point: Omit arrows without points in svg output.
+  * 33_sanitize-color: Sanitize color definitions.
+
+ -- Roland Rosenfeld <rol...@debian.org>  Fri, 30 Apr 2021 11:28:30 +0200
+
 fig2dev (1:3.2.8-2) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru fig2dev-3.2.8/debian/patches/30_arrow-poly.patch fig2dev-3.2.8/debian/patches/30_arrow-poly.patch
--- fig2dev-3.2.8/debian/patches/30_arrow-poly.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/30_arrow-poly.patch	2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,70 @@
+From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
+Date: Fri Apr 23 22:31:27 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/114/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926673
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/
+Subject: Remove arrows from polygon with single point, ticket #114
+ When sanitizing line objects, a polygon consisting of too few points is
+ converted to a polyline. With this commit, the resulting polyline is
+ also sanitized, e.g, by removing arrow tips if the line consists only of
+ a single point.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -936,6 +936,7 @@ sanitize_lineobject(
+ 			put_msg("A polygon with %d points at line %d - convert to a polyline.",
+ 			npts, line_no);
+ 			l->type = T_POLYLINE;
++			sanitize_lineobject(l, p, line_no);
+ 			return 0;
+ 		}
+ 	}
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2020 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2021 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -121,7 +121,7 @@ EOF
+ ])
+ AT_CLEANUP
+ 
+-AT_SETUP([remove arrows tips from single point])
++AT_SETUP([remove arrow tips from single point])
+ AT_KEYWORDS(read.c polyline)
+ AT_CHECK([fig2dev -L pict2e <<EOF
+ FIG_FILE_TOP
+@@ -134,6 +134,19 @@ EOF
+ A single point with a backward arrow - remove the arrow.
+ ])
+ AT_CLEANUP
++
++AT_SETUP([remove arrow tips on polygon with single point])
++AT_KEYWORDS(read.c polygon)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
++	0 0 2. 120. 240.
++	0 0
++EOF
++],0,ignore,[A polygon with 1 points at line 12 - convert to a polyline.
++A single point with a backward arrow - remove the arrow.
++])
++AT_CLEANUP
+ 
+ AT_SETUP([reject huge arrow-type, ticket #57])
+ AT_KEYWORDS(arrow.c arrow)
diff -Nru fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch
--- fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/31_trunc-subsuper.patch	2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,80 @@
+From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
+Date: Sat Apr 24 10:29:59 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/113/
+Bug: https://sourceforge.net/p/mcj/tickets/117/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926674
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/
+Subject: Allow truncated sub/superscripts in text, #113, #117
+ For svg output, sub- and superscripts are indicated by the ^ and _
+ characters, respectively. A text string truncated right after these
+ characters caused buffer overflow. Fixes tickets #113 and #117.
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -3,7 +3,7 @@
+  * Parts Copyright (c) 2002 by Anthony Starks
+  * Parts Copyright (c) 2002-2006 by Martin Kroeker
+  * Parts Copyright (c) 2002-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2020 by Thomas Loimer
++ * Parts Copyright (c) 2015-2021 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -1005,7 +1005,7 @@ gensvg_text(F_text *t)
+ #endif
+ 		for (cp = (unsigned char *)t->cstring; *cp; cp++) {
+ 			ch = *cp;
+-			if (( supsub == 2 &&ch == '}' ) || supsub==1) {
++			if ((supsub == 2 && ch == '}') || supsub==1) {
+ #ifdef NOSUPER
+ 				fprintf(tfp,"</tspan><tspan dy=\"%d\">",-dy);
+ 				old_dy=-dy;
+@@ -1019,6 +1019,8 @@ gensvg_text(F_text *t)
+ 				}
+ 			}
+ 			if (ch == '_' || ch == '^') {
++				if (*(cp + 1) == '\0')
++					break;
+ 				supsub=1;
+ #ifdef NOSUPER
+ 				if (dy != 0)
+@@ -1043,6 +1045,8 @@ gensvg_text(F_text *t)
+ 				++cp;
+ 				ch = *cp;
+ 				if (ch == '{' ) {
++					if (*(cp + 1) == '\0')
++						break;
+ 					supsub=2;
+ 					++cp;
+ 					ch = *cp;
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -231,6 +231,17 @@ AT_CHECK([SOURCE_DATE_EPOCH=1483564881 f
+ 		- $builddir/data/fillswclip.svg])
+ AT_CLEANUP
+ 
++AT_SETUP([truncated sub/superscript, tickets #113, #117])
++AT_KEYWORDS(read.c svg)
++AT_CHECK([fig2dev -L svg <<EOF
++#FIG 2
++1200 2
++4 2 0 0 1 0 0 0 6 110 376 0 0 ^

++4 2 0 0 1 0 0 0 6 110 376 0 200 ^{

++EOF
++], 0, ignore)
++AT_CLEANUP
++
+ 
+ AT_BANNER([Test tikz output language.])
+ 
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -136,7 +136,7 @@ A single point with a backward arrow - r
+ AT_CLEANUP
+ 
+ AT_SETUP([remove arrow tips on polygon with single point])
+-AT_KEYWORDS(read.c polygon)
++AT_KEYWORDS(read.c polygon svg)
+ AT_CHECK([fig2dev -L svg <<EOF
+ FIG_FILE_TOP
+ 2 3 0 1 -1 -1 50 -1 -1 0. 0 0 0 0 1 1
diff -Nru fig2dev-3.2.8/debian/patches/32_arrow-point.patch fig2dev-3.2.8/debian/patches/32_arrow-point.patch
--- fig2dev-3.2.8/debian/patches/32_arrow-point.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/32_arrow-point.patch	2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,63 @@
+From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
+Date: Sat Apr 24 23:04:36 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/115/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926676
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/
+Subject: Omit arrows without points in svg output, ticket #115
+
+--- a/fig2dev/dev/gensvg.c
++++ b/fig2dev/dev/gensvg.c
+@@ -1173,7 +1173,7 @@ svg_arrows(int line_thickness, F_arrow *
+ 	return true;
+     }
+ 
+-    if (for_arrow) {
++    if (for_arrow && fnpoints > 1) {
+ 	fputs("<!-- Forward arrow", tfp);
+ 	arrow_path(for_arrow, forw2, pen_color, fnpoints, fpoints,
+ 		fnfillpoints, ffillpoints
+@@ -1182,7 +1182,7 @@ svg_arrows(int line_thickness, F_arrow *
+ #endif
+ 		);
+     }
+-    if (back_arrow) {
++    if (back_arrow && bnpoints > 1) {
+ 	fputs("<!-- Backward arrow", tfp);
+ 	arrow_path(back_arrow, back2, pen_color, bnpoints, bpoints,
+ 		bnfillpoints, bfillpoints
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2020 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2021 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -184,6 +184,7 @@ FIG_FILE_TOP
+ EOF], 0, ignore)
+ AT_CLEANUP
+ 
++
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+ AT_KEYWORDS(svg pattern creationdate)
+@@ -242,6 +243,16 @@ EOF
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([omit arrows without points, ticket #115])
++AT_KEYWORDS(svg arrow)
++AT_CHECK([fig2dev -L svg <<EOF
++FIG_FILE_TOP
++5 1 0 1 7 7 44 -1 6 0.000 0 1 1 1 50 -1 -1500 200 -1 7 50 -1  900 750 975
++	0 0 1.00 45.00 90.00
++	5 0 1.003 1426 1068 1426
++EOF], 0, ignore)
++AT_CLEANUP
++
+ 
+ AT_BANNER([Test tikz output language.])
+ 
diff -Nru fig2dev-3.2.8/debian/patches/33_sanitize-color.patch fig2dev-3.2.8/debian/patches/33_sanitize-color.patch
--- fig2dev-3.2.8/debian/patches/33_sanitize-color.patch	1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/33_sanitize-color.patch	2021-04-30 11:28:30.000000000 +0200
@@ -0,0 +1,61 @@
+From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
+Date: Sun Apr 25 00:49:15 2021 +0200
+Bug: https://sourceforge.net/p/mcj/tickets/116/
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926677
+Applied-Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/
+Subject: Sanitize color definitions, ticket #116
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -520,30 +520,37 @@ read_colordef(char *line, int line_no)
+ 
+ 	if (num_usr_cols >= MAX_USR_COLS) {
+ 		if (num_usr_cols == MAX_USR_COLS) {
+-			put_msg("Maximum number of color definitions (%d) exceeded at line %d.",
++			put_msg("Maximum number of color definitions (%d) "
++					"exceeded at line %d.",
+ 					MAX_USR_COLS, line_no);
+ 			++num_usr_cols;
+ 		}
+ 		/* ignore additional colors */
+ 		return;
+ 	}
+-	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) != 4) {
+-		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS) {
+-			put_msg("Invalid color definition at line %d: %s, setting to black (#00000).",
+-					line_no, line);
+-			r = g = b = 0;
+-		} else {
+-			put_msg("User color number at line %d out of range (%d), should be between %d and %d.",
++	if (sscanf(line, "%*d %d #%2x%2x%2x", &c, &r, &g, &b) == 4) {
++		if (c >= NUM_STD_COLS && c < NUM_STD_COLS + MAX_USR_COLS &&
++				r >=0 && r < 256 && g >=0 && g < 256 &&
++				b >= 0 && b < 256 ) {
++			user_col_indx[num_usr_cols] = c;
++			user_colors[num_usr_cols].r = r;
++			user_colors[num_usr_cols].g = g;
++			user_colors[num_usr_cols].b = b;
++			++num_usr_cols;
++		} else if (c < NUM_STD_COLS || c >= NUM_STD_COLS+MAX_USR_COLS) {
++			put_msg("User color number at line %d out of range (%d)"
++					", should be between %d and %d.",
+ 					line_no, c, NUM_STD_COLS,
+ 					NUM_STD_COLS + MAX_USR_COLS - 1);
+-			return;
++		} else {
++			put_msg("Invalid color definition at line %d: %s, color"
++				       " values must be between 0 through 255.",
++								line_no, line);
+ 		}
++	} else {
++		put_msg("Invalid color definition at line %d: %s.",
++							line_no, line);
+ 	}
+-	user_col_indx[num_usr_cols] = c;
+-	user_colors[num_usr_cols].r = r;
+-	user_colors[num_usr_cols].g = g;
+-	user_colors[num_usr_cols].b = b;
+-	++num_usr_cols;
+ }
+ 
+ static void
diff -Nru fig2dev-3.2.8/debian/patches/series fig2dev-3.2.8/debian/patches/series
--- fig2dev-3.2.8/debian/patches/series	2021-02-06 12:59:35.000000000 +0100
+++ fig2dev-3.2.8/debian/patches/series	2021-04-30 11:28:30.000000000 +0200
@@ -2,3 +2,7 @@
 15_fig2mpdf-doc.patch
 28_fix_fig2dev_chmod.patch
 29_RGBFILE.patch
+30_arrow-poly.patch
+31_trunc-subsuper.patch
+32_arrow-point.patch
+33_sanitize-color.patch