Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <[email protected]>
and subject line Close 1101561
has caused the Debian Bug report #1101561,
regarding bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101561
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:fig2dev
[ Reason ]
This fixes CVE-2025-31162, CVE-2025-31163, CVE-2025-31164
(segmentation faults in the pict2e driver of fig2dev).
[ Impact ]
Segmentation faults with some special cases and a minor security
issue.
[ Tests ]
salsa-ci passed except reprotest (this seems to build the package with
sid instead of bookworm, with uses a newer different ghostscript
version, resulting in a slightly different gray rastering with two
more dots in an example, so one test in the testsuite fails):
https://salsa.debian.org/debian/fig2dev/-/pipelines/840929
The patches for CVE-2025-31163 and CVE-2025-31164 add new test cases
(for these bugs) which run successfully.
[ Risks ]
Hopefully none...
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- fix for CVE-2025-31162
- fix for CVE-2025-31163
- fix for CVE-2025-31164
- Change in debian/salsa-ci.yml to build with bookworm instead of sid
[ Other info ]
I was asked by Salvatore Bonaccorso <[email protected]> from the
security team to upload this to the next point release instead of
fixing via DSA, because of the low severity of the CVEs.
Greetings
Roland
diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog
--- fig2dev-3.2.8b/debian/changelog 2022-09-20 17:24:07.000000000 +0200
+++ fig2dev-3.2.8b/debian/changelog 2025-03-28 22:51:19.000000000 +0100
@@ -1,3 +1,11 @@
+fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium
+
+ * 38_CVE-2025-31162: Reject huge pattern lengths.
+ * 39_CVE-2025-31163: Reject arcs with co-incident points.
+ * 40_CVE-2025-31164: Allow an arc-box with zero radius.
+
+ -- Roland Rosenfeld <[email protected]> Fri, 28 Mar 2025 22:51:19 +0100
+
fig2dev (1:3.2.8b-3) unstable; urgency=medium
[ Roland Rosenfeld ]
diff -Nru fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch
--- fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch 2025-03-28 22:51:19.000000000 +0100
@@ -0,0 +1,27 @@
+From: Thomas Loimer <[email protected]>
+Date: Wed, 22 Jan 2025 23:18:54 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/da8992f
+Bug: https://sourceforge.net/p/mcj/tickets/185/
+Forwarded: not-needed
+Subject: Reject huge pattern lengths, ticket #185
+ Reject patterned lines, e.g., dashed lines, where the pattern length exceeds
+ 80 inches.
+ This fixes CVE-2025-31162
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -57,12 +57,13 @@ typedef struct f_comment {
+ struct f_comment *next;
+ } F_comment;
+
++#define STYLE_VAL_MAX 6400.0 /* dash length 80 inches, that is enough */
+ #define COMMON_PROPERTIES(o) \
+ o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \
+ o->thickness < 0 || o->depth < 0 || o->depth > 999 || \
+ o->fill_style < UNFILLED || \
+ o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \
+- o->style_val < 0.0
++ o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX
+
+ typedef struct f_ellipse {
+ int type;
diff -Nru fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch
--- fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch 2025-03-28 22:51:19.000000000 +0100
@@ -0,0 +1,62 @@
+From: Thomas Loimer <[email protected]>
+Date: Wed, 22 Jan 2025 23:27:43 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c8a87d2
+Bug: https://sourceforge.net/p/mcj/tickets/186/
+Forwarded: not-needed
+Subject: Reject arcs with co-incident points, ticket #186
+ This fixes CVE-2025-31163.
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,10 +92,10 @@ typedef struct f_ellipse {
+ struct f_ellipse *next;
+ } F_ellipse;
+
+-#define INVALID_ELLIPSE(e) \
++#define INVALID_ELLIPSE(e) \
+ e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \
+- COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+- e->radiuses.x == 0 || e->radiuses.y == 0 || \
++ COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
++ e->radiuses.x == 0 || e->radiuses.y == 0 || \
+ e->angle < -7. || e->angle > 7.
+
+ typedef struct f_arc {
+@@ -122,12 +122,16 @@ typedef struct f_arc {
+ struct f_arc *next;
+ } F_arc;
+
+-#define INVALID_ARC(a) \
++#define COINCIDENT(a, b) (a.x == b.x && a.y == b.y)
++#define INVALID_ARC(a) \
+ a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC || \
+ COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 || \
+ a->center.x < COORD_MIN || a->center.x > COORD_MAX || \
+ a->center.y < COORD_MIN || a->center.y > COORD_MAX || \
+- (a->direction != 0 && a->direction != 1)
++ (a->direction != 0 && a->direction != 1) || \
++ COINCIDENT(a->point[0], a->point[1]) || \
++ COINCIDENT(a->point[0], a->point[2]) || \
++ COINCIDENT(a->point[1], a->point[2])
+
+ typedef struct f_line {
+ int type;
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -223,6 +223,16 @@ EOF
+ ])
+ AT_CLEANUP
+
++AT_SETUP([reject arcs with coincident points, ticket #186])
++AT_KEYWORDS(read.c arc)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0
++EOF
++], 1, ignore, [Invalid arc object at line 10.
++])
++AT_CLEANUP
++
+ AT_SETUP([survive debian bugs #881143, #881144])
+ AT_KEYWORDS([font pic tikz])
+ AT_CHECK([fig2dev -L pic <<EOF
diff -Nru fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch
--- fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch 2025-03-28 22:51:19.000000000 +0100
@@ -0,0 +1,48 @@
+From: Thomas Loimer <[email protected]>
+Date: Tue, 21 Jan 2025 20:50:15 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/ff9aba2
+Forwarded: not-needed
+Bug: https://sourceforge.net/p/mcj/tickets/184/
+Subject: Allow an arc-box with zero radius, ticket #184
+ In the pict2e output, a rectangle with rounded corners, dashed line type and
+ zero corner-radius would cause a crash. Convert rectangles with rounded
+ corners and zero corner-radius to regular rectangles.
+ This fixes CVE-2025-31164.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -960,6 +960,14 @@ sanitize_lineobject(
+ return 0;
+ }
+
++ if (l->type == T_ARC_BOX && l->radius == 0) {
++ put_msg("A %s, but zero corner radius "
++ "at line %d - convert "
++ "to a rectangle.",
++ obj_name[l->type - 2],
++ line_no);
++ l->type = T_BOX;
++ }
+ if ((l->type == T_BOX || l->type == T_POLYGON ||
+ l->type == T_ARC_BOX || l->type == T_PIC_BOX) &&
+ l->points->next && l->points->next->next &&
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -109,6 +109,17 @@ EOF
+ ])
+ AT_CLEANUP
+
++AT_SETUP([convert an arc-box with zero radius to a box])
++AT_KEYWORDS(read.c arc-box)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5
++ 0 0 300 0 300 300 0 300 0 0
++EOF
++],0,ignore,[A rectangle with rounded corners, but zero corner radius at line 11 - convert to a rectangle.
++])
++AT_CLEANUP
++
+ AT_SETUP([fail on a malformed arc-box])
+ AT_KEYWORDS(read.c malformed arc-box)
+ AT_CHECK([fig2dev -L pict2e <<EOF
diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series
--- fig2dev-3.2.8b/debian/patches/series 2022-09-20 17:24:07.000000000 +0200
+++ fig2dev-3.2.8b/debian/patches/series 2025-03-28 22:51:19.000000000 +0100
@@ -7,3 +7,6 @@
35_pict2e_output.patch
36_arrowhead.patch
37_arrow2point.patch
+38_CVE-2025-31162.patch
+39_CVE-2025-31163.patch
+40_CVE-2025-31164.patch
diff -Nru fig2dev-3.2.8b/debian/salsa-ci.yml fig2dev-3.2.8b/debian/salsa-ci.yml
--- fig2dev-3.2.8b/debian/salsa-ci.yml 2022-09-20 17:24:07.000000000 +0200
+++ fig2dev-3.2.8b/debian/salsa-ci.yml 2025-03-28 22:51:19.000000000 +0100
@@ -1,3 +1,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bookworm'
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
