Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Fix some minor security issues, which according to security team do not warrant a DSA: * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG files (Closes: #881143, #881144). * 32_fill-style-overflow: Sanitize input of fill patterns (Closes: #881396). The patches are adapted from unstable/testing. Greetings Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog --- fig2dev-3.2.6a/debian/changelog 2017-01-28 10:30:50.000000000 +0100 +++ fig2dev-3.2.6a/debian/changelog 2017-11-30 12:02:27.000000000 +0100 @@ -1,3 +1,12 @@ +fig2dev (1:3.2.6a-2+deb9u1) stable; urgency=medium + + * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG + files (Closes: #881143, #881144). + * 32_fill-style-overflow: Sanitize input of fill patterns + (Closes: #881396). + + -- Roland Rosenfeld <rol...@debian.org> Thu, 30 Nov 2017 12:02:27 +0100 + fig2dev (1:3.2.6a-2) unstable; urgency=medium * build-dep on etoolbox required with current texlive (Closes: #852915). diff -Nru fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch --- fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch 2017-11-30 12:02:27.000000000 +0100 @@ -0,0 +1,41 @@ +Description: CVE-2017-16899 Some input sanitizing when reading FIG files. +Bug-Debian: https://bugs.debian.org/881143 +Bug-Debian: https://bugs.debian.org/881144 +Author: Thomas Loimer <thomas.loi...@tuwien.ac.at> + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp) + | PSFONT_TEXT; + + /* keep the font number reasonable */ +- if (t->font > MAXFONT(t)) ++ if (t->font > MAXFONT(t)) { + t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + fix_and_note_color(&t->color); + t->comments = attach_comments(); /* attach any comments */ + return t; +--- a/fig2dev/read1_3.c ++++ b/fig2dev/read1_3.c +@@ -470,6 +470,15 @@ read_textobject(FILE *fp) + free((char*) t); + return(NULL); + } ++ /* keep the font number within valid range */ ++ if (t->font > MAXFONT(t)) { ++ t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + (void)strcpy(t->cstring, buf); + if (t->size == 0) t->size = 18; + return(t); diff -Nru fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch --- fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch 2017-11-30 12:02:27.000000000 +0100 @@ -0,0 +1,47 @@ +Description: Sanitize input of fill patterns. +Bug-Debian: https://bugs.debian.org/881396 +Author: Thomas Loimer <thomas.loi...@tuwien.ac.at> + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -71,6 +71,8 @@ static int save_comment(void); + + #define FILL_CONVERT(f) ((v2_flag || (f) < WHITE_FILL) \ + ? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5) ++#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \ ++ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f + + /* input buffer size */ + #define BUF_SIZE 1024 +@@ -547,6 +549,7 @@ read_arcobject(FILE *fp) + } + a->thickness *= round(THICK_SCALE); + a->fill_style = FILL_CONVERT(a->fill_style); ++ a->fill_style = FILL_SANITIZE(a->fill_style); + NOTE_FILL(a); + fix_and_note_color(&a->pen_color); + if (fa) { +@@ -730,6 +733,7 @@ read_ellipseobject(void) + fix_and_note_color(&e->pen_color); + e->thickness *= round(THICK_SCALE); + e->fill_style = FILL_CONVERT(e->fill_style); ++ e->fill_style = FILL_SANITIZE(e->fill_style); + NOTE_FILL(e); + e->comments = attach_comments(); /* attach any comments */ + return e; +@@ -895,6 +899,7 @@ read_lineobject(FILE *fp) + l->radius *= round(THICK_SCALE); + l->thickness *= round(THICK_SCALE); + l->fill_style = FILL_CONVERT(l->fill_style); ++ l->fill_style = FILL_SANITIZE(l->fill_style); + NOTE_FILL(l); + fix_and_note_color(&l->pen_color); + if (fa) { +@@ -1051,6 +1056,7 @@ read_splineobject(FILE *fp) + } + s->thickness *= round(THICK_SCALE); + s->fill_style = FILL_CONVERT(s->fill_style); ++ s->fill_style = FILL_SANITIZE(s->fill_style); + NOTE_FILL(s); + fix_and_note_color(&s->pen_color); + if (fa) { diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series --- fig2dev-3.2.6a/debian/patches/series 2017-01-28 10:30:50.000000000 +0100 +++ fig2dev-3.2.6a/debian/patches/series 2017-11-30 12:02:27.000000000 +0100 @@ -2,3 +2,5 @@ 15_fig2mpdf-doc.patch 28_fix_fig2dev_chmod.patch 29_RGBFILE.patch +31_input_sanitizing.patch +32_fill-style-overflow.patch
