Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2019-19555 in stretch. Since this is tagged "unimportant" by the security team on https://security-tracker.debian.org/tracker/CVE-2019-19555 they won't publish a DSA, so I tend to send this into the next point release of buster. Attached you'll find the diff against 3.2.6a-2+deb9u2. Greetings Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog --- fig2dev-3.2.6a/debian/changelog 2019-07-27 10:22:45.000000000 +0200 +++ fig2dev-3.2.6a/debian/changelog 2019-12-04 22:22:00.000000000 +0100 @@ -1,3 +1,10 @@ +fig2dev (1:3.2.6a-2+deb9u3) stretch; urgency=medium + + * 41_CVE-2019-19555: Allow Fig v2 text strings ending with multiple ^A. + This fixes CVE-2019-19555. Closes (#946176). + + -- Roland Rosenfeld <rol...@debian.org> Wed, 04 Dec 2019 22:22:00 +0100 + fig2dev (1:3.2.6a-2+deb9u2) stretch; urgency=medium * 40_circle_arrowhead: Do not segfault on circle/half circle arrowheads diff -Nru fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch --- fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch 1970-01-01 01:00:00.000000000 +0100 +++ fig2dev-3.2.6a/debian/patches/41_CVE-2019-19555.patch 2019-12-04 22:22:00.000000000 +0100 @@ -0,0 +1,27 @@ +From: Thomas Loimer <thomas.loi...@tuwien.ac.at> +Date: Wed Dec 4 17:56:04 2019 +0100 +Bug: https://sourceforge.net/p/mcj/tickets/55 +Bug-Debian: https://bugs.debian.org/946176 +Origin: https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/ +Subject: Allow Fig v2 text strings ending with multiple ^A. + This fixes CVE-2019-19555 + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -3,6 +3,7 @@ + * Copyright (c) 1991 by Micah Beck + * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul + * Parts Copyright (c) 1989-2002 by Brian V. Smith ++ * Parts Copyright (c) 2015-2019 by Thomas Loimer + * + * Any party obtaining a copy of these files is granted, free of charge, a + * full and unrestricted irrevocable, world-wide, paid up, royalty-free, +@@ -1223,7 +1224,7 @@ read_textobject(FILE *fp) + If we do not find the CONTROL-A on this line then this must + be a multi-line text object and we will have to read more. */ + +- n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%[\1]", ++ n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%1[\1]", + &t->type, &t->font, &t->size, &t->pen, + &t->color, &t->depth, &t->angle, + &t->flags, &t->height, &t->length, diff -Nru fig2dev-3.2.6a/debian/patches/series fig2dev-3.2.6a/debian/patches/series --- fig2dev-3.2.6a/debian/patches/series 2019-07-27 10:22:45.000000000 +0200 +++ fig2dev-3.2.6a/debian/patches/series 2019-12-04 22:22:00.000000000 +0100 @@ -5,3 +5,4 @@ 31_input_sanitizing.patch 32_fill-style-overflow.patch 40_circle_arrowhead.patch +41_CVE-2019-19555.patch
