Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2019-14275 in stretch. Since this is tagged "unimportant" by the security team on https://security-tracker.debian.org/tracker/CVE-2019-14275 they won't publish a DSA, so I tend to send this into the next point release of buster. Attached you'll find the diff against 3.2.6a-2+deb9u1. Greetings Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog --- fig2dev-3.2.6a/debian/changelog 2017-11-30 12:02:27.000000000 +0100 +++ fig2dev-3.2.6a/debian/changelog 2019-07-27 10:22:45.000000000 +0200 @@ -1,3 +1,12 @@ +fig2dev (1:3.2.6a-2+deb9u2) stretch; urgency=medium + + * 40_circle_arrowhead: Do not segfault on circle/half circle arrowheads + with a magnification larger 42. This fixes CVE-2019-14275. + (Closes: #933075). + * Adapt salsa CI pipeline to stretch release. + + -- Roland Rosenfeld <rol...@debian.org> Sat, 27 Jul 2019 10:22:45 +0200 + fig2dev (1:3.2.6a-2+deb9u1) stretch; urgency=medium * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG diff -Nru fig2dev-3.2.6a/debian/gitlab-ci.yml fig2dev-3.2.6a/debian/gitlab-ci.yml --- fig2dev-3.2.6a/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.6a/debian/gitlab-ci.yml 2019-07-27 10:22:45.000000000 +0200 @@ -0,0 +1,7 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'stretch' diff -Nru fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch --- fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.6a/debian/patches/40_circle_arrowhead.patch 2019-07-27 10:22:45.000000000 +0200 @@ -0,0 +1,35 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Fri Jul 26 23:25:50 2019 +0200 +Bug-Debian: https://bugs.debian.org/933075 +Bug: https://sourceforge.net/p/mcj/tickets/52/ +Origin: https://sourceforge.net/p/mcj/fig2dev/ci/03ea45 +Subject: Allow circle arrowheads when mag >= 42, ticket #52 + Circle and half-circle arrowheads would be drawn with 40 + mag/4 points by + calc_arrow() in bound.c. However, the point arrays passed to calc_arrow() + would only contain 50 points. With a magnification >= 42, a buffer overrun + would occur. Simply use 40 points, independent of magnification. + . + This fixes CVE-2019-14275 + +--- a/fig2dev/bound.c ++++ b/fig2dev/bound.c +@@ -905,7 +905,7 @@ calc_arrow(int x1, int y1, int x2, int y + /* + * CIRCLE and HALF-CIRCLE arrowheads + * +- * We approximate circles with (40+zoom)/4 points ++ * We approximate circles with 40 points + */ + double maxx; + double fix_x, fix_y, xs, ys; +@@ -936,8 +936,8 @@ calc_arrow(int x1, int y1, int x2, int y + dy = my - ys; + fix_x = xs + (dx / 2.0); + fix_y = ys + (dy / 2.0); +- /* choose number of points for circle - 40+mag/4 points */ +- *npoints = np = round(mag/4.0) + 40; ++ /* choose number of points for circle */ ++ *npoints = np = 40; + + if (type == 5) { + /* full circle */ diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series --- fig2dev-3.2.6a/debian/patches/series 2017-11-30 12:02:27.000000000 +0100 +++ fig2dev-3.2.6a/debian/patches/series 2019-07-27 10:22:45.000000000 +0200 @@ -4,3 +4,4 @@ 29_RGBFILE.patch 31_input_sanitizing.patch 32_fill-style-overflow.patch +40_circle_arrowhead.patch
signature.asc
Description: PGP signature
