commit graphviz for openSUSE:Factory

Source-Sync Sat, 09 Mar 2024 11:54:37 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package graphviz for openSUSE:Factory 
checked in at 2024-03-09 20:53:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/graphviz (Old)
 and      /work/SRC/openSUSE:Factory/.graphviz.new.1770 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "graphviz"

Sat Mar  9 20:53:46 2024 rev:101 rq:1156284 version:2.49.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/graphviz/graphviz.changes        2024-02-23 
16:40:51.293605084 +0100
+++ /work/SRC/openSUSE:Factory/.graphviz.new.1770/graphviz.changes      
2024-03-09 20:53:48.420661526 +0100
@@ -1,0 +2,10 @@
+Thu Mar  7 14:57:35 UTC 2024 - Thomas Renninger <tr...@suse.de>
+
+- VUL-0: CVE-2023-46045: graphviz: out-of-bounds read via a crafted config6a 
file
+  bsc#1219491
+A gvc-detect-plugin-installation-failure-and-display-an-error.patch
+- Some alphabetical re-ordering and other spec file changes which should
+  not have any functional change which came from some kind of auto-spec
+  cleaner
+
+-------------------------------------------------------------------

New:
----
  gvc-detect-plugin-installation-failure-and-display-an-error.patch

BETA DEBUG BEGIN:
  New:  bsc#1219491
A gvc-detect-plugin-installation-failure-and-display-an-error.patch
- Some alphabetical re-ordering and other spec file changes which should
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ graphviz.spec ++++++
--- /var/tmp/diff_new_pack.6bSSm5/_old  2024-03-09 20:53:49.124687297 +0100
+++ /var/tmp/diff_new_pack.6bSSm5/_new  2024-03-09 20:53:49.128687444 +0100
@@ -17,43 +17,32 @@
 
 
 %global flavor @BUILD_FLAVOR@%{nil}
-
 %if "%{flavor}" != ""
 %define psuffix -%{flavor}
 %else
 %define psuffix %{nil}
 %endif
-
 #fixes build failure caused by new .debug files, not sure how to fix correctly
-
 %define mname graphviz
 # name of the plugin config file that dot creates
 %define config_file config6
-# Java and ocaml are not in ring1, thus this gets overriden in staging
-# Also, both install into generic locations instead of a language
-# specific prefix, disable both
-%bcond_with    java
-%bcond_with    ocaml
 %if "%{flavor}" == "addons"
+%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
+%define phpext_dir  %(%{__php_config} --extension-dir)
+%define ruby_version $(pkg-config --variable=RUBY_API_VERSION 
%{_libdir}/pkgconfig/ruby-*.pc)
 # PHP8 requires swig >= 4.1.0, 
https://github.com/swig/swig/commit/56d74355735f3661406d69d04d89d1bdb4ca96f9
 %if 0%{?suse_version} >= 1599
 %define php_version 8
 %else
 %define php_version 7
 %endif
-%define phpconf_dir %{_sysconfdir}/php%{php_version}/conf.d
-%define phpext_dir  %(%{__php_config} --extension-dir)
-
-%define ruby_version $(pkg-config --variable=RUBY_API_VERSION 
%{_libdir}/pkgconfig/ruby-*.pc)
 %endif
-
 # No pkgconfig(gts) in sle12 GA or SPx, but in sle15
 %if 0%{?suse_version} == 1315 && !0%{?is_opensuse}
 %bcond_with    gts
 %else
 %bcond_without gts
 %endif
-
 %define cdt_soversion 5
 %define cgraph_soversion 6
 %define gvc_soversion 6
@@ -61,7 +50,11 @@
 %define lab_gamut_soversion 1
 %define pathplan_soversion 4
 %define xdot_soversion 4
-
+# Java and ocaml are not in ring1, thus this gets overriden in staging
+# Also, both install into generic locations instead of a language
+# specific prefix, disable both
+%bcond_with    java
+%bcond_with    ocaml
 Name:           graphviz%{psuffix}
 Version:        2.49.3
 Release:        0
@@ -83,7 +76,8 @@
 Patch6:         graphviz-no_php_extra_libs.patch
 # https://gitlab.com/graphviz/graphviz/-/issues/2303
 Patch7:         swig-4.1.0.patch
-
+#PATCH-FIX-UPSTREAM gvc: detect plugin installation failure and display an 
error
+Patch8:         
gvc-detect-plugin-installation-failure-and-display-an-error.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -96,12 +90,13 @@
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(expat)
-%if %{with gts}
-BuildRequires:  pkgconfig(gts)
-%endif
 BuildRequires:  pkgconfig(zlib)
+Requires:       bitstream-vera-fonts
 Requires:       graphviz-plugins-core = %{version}
 Recommends:     graphviz-gd = %{version}
+%if %{with gts}
+BuildRequires:  pkgconfig(gts)
+%endif
 %if "%{flavor}" == "addons"
 BuildRequires:  freeglut-devel
 BuildRequires:  ghostscript
@@ -109,13 +104,6 @@
 BuildRequires:  libpng-devel
 BuildRequires:  libwebp-devel
 BuildRequires:  perl
-%if %{php_version} == 8
-BuildRequires:  php8-devel
-BuildRequires:  swig >= 4.1.0
-%else
-BuildRequires:  php7-devel
-BuildRequires:  swig >= 3.0.11
-%endif
 BuildRequires:  ruby-devel
 BuildRequires:  pkgconfig(cairo)
 BuildRequires:  pkgconfig(fontconfig)
@@ -136,6 +124,13 @@
 BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xaw7)
 BuildRequires:  pkgconfig(xext)
+%if %{php_version} == 8
+BuildRequires:  php8-devel
+BuildRequires:  swig >= 4.1.0
+%else
+BuildRequires:  php7-devel
+BuildRequires:  swig >= 3.0.11
+%endif
 %if %{with java}
 BuildRequires:  java-devel >= 1.6.0
 %endif
@@ -148,7 +143,6 @@
 BuildRequires:  pkgconfig(Qt5PrintSupport)
 BuildRequires:  pkgconfig(Qt5Widgets)
 %endif
-Requires:       bitstream-vera-fonts
 
 %description
 A collection of tools and tcl packages for the manipulation and layout
@@ -176,7 +170,7 @@
 Summary:        Graphviz plugins that use gtk/GNOME
 Group:          Productivity/Graphics/Visualization/Graph
 Requires(post): graphviz = %{version}
-Supplements:    packageand(graphviz:xorg-x11-fonts-core)
+Supplements:    (graphviz and xorg-x11-fonts-core)
 
 %description -n graphviz-gnome
 Graphviz plugins that use gtk/GNOME.
@@ -414,6 +408,7 @@
 %patch -P 5 -p1
 %patch -P 6
 %patch -P 7 -p1
+%patch -P 8 -p1
 
 # pkg-config returns 0 (TRUE) when guile-2.2 is present
 if pkg-config --atleast-version=2.2 guile-2.2; then

++++++ gvc-detect-plugin-installation-failure-and-display-an-error.patch ++++++
From: Matthew Fernandez <matthew.fernan...@gmail.com>
Subject: gvc: detect plugin installation failure and display an error
References: bsc#1219491
Patch-Mainline: 10.0.1
Git-commit: a95f977f5d809915ec4b14836d2b5b7f5e74881e
Git-repo: g...@gitlab.com:graphviz/graphviz.git.git

Gitlab: fixes #2441
Reported-by: GJDuck

A malformed config6 file that leads to plugin search failing no longer causes
out-of-bounds memory reads. This now causes an error message and graceful
failure. #2441


Signed-off-by:  <tr...@suse.com>
Index: graphviz-2.49.3/lib/gvc/gvconfig.c
===================================================================
--- graphviz-2.49.3.orig/lib/gvc/gvconfig.c
+++ graphviz-2.49.3/lib/gvc/gvconfig.c
@@ -183,6 +183,10 @@ static int gvconfig_plugin_install_from_
        do {
            api = token(&nest, &s);
            gv_api = gvplugin_api(api);
+           if (gv_api == (api_t)-1) {
+               agerr(AGERR, "config error: %s %s not found\n", path, api);
+               return 0;
+           }
            do {
                if (nest == 2) {
                    type = token(&nest, &s);

commit graphviz for openSUSE:Factory

Reply via email to