Hello community,
here is the log from the commit of package transfig for openSUSE:Factory
checked in at 2020-10-03 18:55:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/transfig (Old)
and /work/SRC/openSUSE:Factory/.transfig.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "transfig"
Sat Oct 3 18:55:00 2020 rev:45 rq:838775 version:3.2.7b
Changes:
--------
--- /work/SRC/openSUSE:Factory/transfig/transfig.changes 2020-02-21
16:39:30.925692265 +0100
+++ /work/SRC/openSUSE:Factory/.transfig.new.4249/transfig.changes
2020-10-03 18:55:20.085471141 +0200
@@ -1,0 +2,13 @@
+Wed Sep 30 10:48:31 UTC 2020 - Dr. Werner Fink <wer...@suse.de>
+
+- Add upstream security patches/commits
+ * 100e27.patch
+ * 3065eb.patch
+ * ca48cc.patch
+
+-------------------------------------------------------------------
+Tue Sep 29 09:24:16 UTC 2020 - Dr. Werner Fink <wer...@suse.de>
+
+- Do hardening via compile and linker flags
+
+-------------------------------------------------------------------
New:
----
100e27.patch
3065eb.patch
ca48cc.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ transfig.spec ++++++
--- /var/tmp/diff_new_pack.zLF5Tt/_old 2020-10-03 18:55:20.909472054 +0200
+++ /var/tmp/diff_new_pack.zLF5Tt/_new 2020-10-03 18:55:20.909472054 +0200
@@ -70,6 +70,9 @@
Patch15: 4d4e1f.patch
Patch16: 3165d8.patch
Patch17: 639c36.patch
+Patch18: 100e27.patch
+Patch19: 3065eb.patch
+Patch20: ca48cc.patch
Patch43: fig2dev-3.2.6-fig2mpdf.patch
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
Patch45: fig2dev-3.2.6a-RGBFILE.patch
@@ -127,14 +130,59 @@
%patch15 -p0 -b .sec12
%patch16 -p0 -b .sec13
%patch17 -p0 -b .sec14
+%patch18 -p0 -b .sec15
+%patch19 -p0 -b .sec16
+%patch20 -p0 -b .sec17
%patch43 -p2 -b .mpdf
%patch44 -p1 -b .mpdfdoc
%patch45 -p1 -b .p45
%build
ulimit -v unlimited || :
+ #
+ # Used for detection of hardening options of gcc and linker
+ #
+ cflags ()
+ {
+ local flag=$1; shift
+ local var=$1; shift
+ test -n "${flag}" -a -n "${var}" || return
+ case "${!var}" in
+ *${flag}*) return
+ esac
+ case "$flag" in
+ -Wl,*)
+ set -o noclobber
+ echo 'int main () { return 0; }' > ldtest.c
+ if ${CC:-gcc} -Werror $flag -o /dev/null -xc ldtest.c > /dev/null
2>&1 ; then
+ eval $var=\${$var:+\$$var\ }$flag
+ fi
+ set +o noclobber
+ rm -f ldtest.c
+ ;;
+ *)
+ if ${CC:-gcc} -Werror $flag -S -o /dev/null -xc /dev/null >
/dev/null 2>&1 ; then
+ eval $var=\${$var:+\$$var\ }$flag
+ fi
+ if ${CXX:-g++} -Werror $flag -S -o /dev/null -xc++ /dev/null >
/dev/null 2>&1 ; then
+ eval $var=\${$var:+\$$var\ }$flag
+ fi
+ esac
+ }
+
CC=gcc
CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 $(getconf
LFS_CFLAGS)"
+cflags -D_FORTIFY_SOURCE=2 CFLAGS
+cflags -fstack-protector CFLAGS
+cflags -fstack-protector-strong CFLAGS
+cflags -fstack-protector-all CFLAGS
+cflags -Wformat CFLAGS
+cflags -Wformat-security CFLAGS
+cflags -Werror=format-security CFLAGS
+cflags -fPIE CFLAGS
+cflags -pie LDFLAGS
+cflags -Wl,-z,relro LDFLAGS
+cflags -Wl,-z,now LDFLAGS
export CC CFLAGS LDFLAGS
chmod 755 configure
%configure \
++++++ 100e27.patch ++++++
>From 100e2789f8106f9cc0f7e4319c4ee7bda076c3ac Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
Date: Sun, 16 Feb 2020 13:25:03 +0100
Subject: [PATCH] Modify commit [3165d8]: Use tangent, not secant
Use the tangent, not a secant, for short arrows on arcs.
---
fig2dev/bound.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git fig2dev/bound.c fig2dev/bound.c
index d305ab9..ea97461 100644
--- fig2dev/bound.c
+++ fig2dev/bound.c
@@ -1102,12 +1102,10 @@ compute_arcarrow_angle(double x1, double y1, double x2,
double y2,
/* add this to the length */
h += lpt;
- /* radius too small for this method, use normal method */
- if (h > 2.0*r) {
+ /* secant would be too large or too small */
+ if (h > 2.0*r || h < 0.01*r) {
arc_tangent_int(x1,y1,x2,y2,direction,x,y);
return;
- } else if (h < thick) {
- h = thick;
}
beta=atan2(dy,dx);
--
2.16.4
++++++ 3065eb.patch ++++++
>From 3065ebc14bb96506429b4ebde3aeb3793c72a66d Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
Date: Sun, 16 Feb 2020 18:54:01 +0100
Subject: [PATCH] Allow last line of file lacking eol char, #83, #84
If the last line of a fig file does not end with a newline, the code parsing
the input could read beyond the allocated buffer. This commit fixes the parsing
at two locations in the code, one in string parsing, the second where sequences
of a backslash and octal digits are converted to characters.
---
fig2dev/read.c | 6 ++++--
fig2dev/tests/read.at | 11 +++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
--- fig2dev/read.c
+++ fig2dev/read.c 2020-09-30 10:46:34.214234522 +0000
@@ -1483,6 +1483,8 @@ read_textobject(FILE *fp, char **restric
len = strlen(start);
start[len++] = '\n'; /* put back the newline */
+ start[len] = '\0'; /* and terminate the string,
+ in case nothing else is found */
/* allocate plenty of space */
next = malloc(len + BUFSIZ);
@@ -1491,7 +1493,7 @@ read_textobject(FILE *fp, char **restric
free(t);
return NULL;
}
- memcpy(next, start, len);
+ memcpy(next, start, len + 1);
while ((chars = getline(line, line_len, fp)) != -1) {
++(*line_no);
@@ -1525,7 +1527,7 @@ read_textobject(FILE *fp, char **restric
len = end - start;
l = len;
while (c[l] != '\0') {
- if (c[l] == '\\') {
+ if (c[l] == '\\' && c[l+1] != '\0') {
/* convert 3 digit octal value */
if (isdigit(c[l+1]) && c[l+2] != '\0' &&
c[l+3] != '\0') {
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at 2020-09-30 10:46:34.262233620 +0000
@@ -416,6 +416,17 @@ AT_CHECK([fig2dev -L tikz text.fig
], 0, ignore)
AT_CLEANUP
+AT_SETUP([allow files end without eol, tickets #83, #84])
+AT_KEYWORDS([read.c])
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
+4 0 0 50 0 -1 12 0 0 150 405 0 0 No end-of-line here -->"]) | \
+ fig2dev -L box], 0, ignore)
+AT_CHECK([AS_ECHO_N(["FIG_FILE_TOP
+4 0 0 50 0 -1 12 0 0 150 405 0 0 Start string
+No end-of-line after one backslash --> \\"]) | \
+ fig2dev -L box], 0, ignore)
+AT_CLEANUP
+
AT_BANNER([Dynamically allocate picture file name.])
AT_SETUP([prepend fig file path to picture file name])
++++++ ca48cc.patch ++++++
>From ca48ccc90bd3e7801a63cf9a541f292b28ed1260 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loi...@tuwien.ac.at>
Date: Mon, 17 Feb 2020 12:18:12 +0100
Subject: [PATCH] Amend previous commit - avoid buffer overflow
Regards to Dr. Werner Fink, see discussion to ticket #83.
---
fig2dev/read.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git fig2dev/read.c fig2dev/read.c
index 0bdcd3d..d1ae463 100644
--- fig2dev/read.c
+++ fig2dev/read.c
@@ -1489,8 +1489,6 @@ read_textobject(FILE *fp, char **restrict line, size_t
*line_len, int *line_no)
len = strlen(start);
start[len++] = '\n'; /* put back the newline */
- start[len] = '\0'; /* and terminate the string,
- in case nothing else is found */
/* allocate plenty of space */
next = malloc(len + BUFSIZ);
@@ -1500,6 +1498,8 @@ read_textobject(FILE *fp, char **restrict line, size_t
*line_len, int *line_no)
return NULL;
}
memcpy(next, start, len + 1);
+ next[len] = '\0'; /* terminate the initial string,
+ in case nothing else is found */
while ((chars = getline(line, line_len, fp)) != -1) {
++(*line_no);
--
2.16.4
