Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1104154,
regarding bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104154
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:fig2dev
[ Reason ]
This fixes CVE-2025-46397, CVE-2025-46398, CVE-2025-46399,
CVE-2025-46400, some seg-faults/stack-overflows in different fig2dev
drivers.
[ Impact ]
Segmentation faults with some special cases and a minor security
issue.
[ Tests ]
salsa-ci passed except reprotest (this seems to build the package with
sid instead of bookworm, with uses a newer different ghostscript
version, resulting in a slightly different gray rastering with two
more dots in an example, so one test in the testsuite fails):
https://salsa.debian.org/debian/fig2dev/-/pipelines/856098
The patch for CVE-2025-46397 adds a new test case.
[ Risks ]
Hopefully none...
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- fix for CVE-2025-46397
- fix for CVE-2025-46398
- fix for CVE-2025-46399
- fix for CVE-2025-46400
[ Other info ]
I agreed with the security-team (Moritz Mühlenhoff), that these are
minor security issues, that from my point of view should not need a
DSA but it's better to go via a point release.
Greetings
Roland
diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog
--- fig2dev-3.2.8b/debian/changelog 2025-03-28 22:51:19.000000000 +0100
+++ fig2dev-3.2.8b/debian/changelog 2025-04-25 09:55:59.000000000 +0200
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.8b-3+deb12u2) bookworm; urgency=medium
+
+ * 41_CVE-2025-46397: Detect nan in spline control values.
+ * 42_CVE-2025-46398: Permit \0 in 2nd line in fig file.
+ * 43_CVE-2025-46399: ge output: correct spline computation.
+ * 44_CVE-2025-46400: Reject arcs with a radius smaller than 3.
+
+ -- Roland Rosenfeld <[email protected]> Fri, 25 Apr 2025 09:55:59 +0200
+
fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium
* 38_CVE-2025-31162: Reject huge pattern lengths.
diff -Nru fig2dev-3.2.8b/debian/patches/41_CVE-2025-46397.patch fig2dev-3.2.8b/debian/patches/41_CVE-2025-46397.patch
--- fig2dev-3.2.8b/debian/patches/41_CVE-2025-46397.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/41_CVE-2025-46397.patch 2025-04-25 09:55:59.000000000 +0200
@@ -0,0 +1,52 @@
+From: Thomas Loimer <[email protected]>
+Date: Thu, 10 Apr 2025 09:03:30 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b66
+Bug: https://sourceforge.net/p/mcj/tickets/192/
+Forwarded: not-needed
+Subject: Detect nan in spline control values, ticket #192
+ Fixes CVE-2025-46397
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1469,8 +1469,11 @@ read_splineobject(FILE *fp, char **restr
+ free_splinestorage(s);
+ return NULL;
+ }
+- if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
+- rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
++ if ( !isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
++ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
++ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
++ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
++ {
+ /* do not care to clean up, we exit anyway
+ cp->next = NULL;
+ free_splinestorage(s); */
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -581,6 +581,25 @@ EOF
+ ])
+ AT_CLEANUP
+
++AT_SETUP([reject nan in spline controls values, #192])
++AT_KEYWORDS([read.c])
++# Use an output language that does not natively support Bezier splines.
++# Otherwise, the huge values are simply copied to the output.
++AT_CHECK([fig2dev -L epic <<EOF
++#FIG 3.1
++Landscape
++Center
++Metric
++1200 2
++3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
++ 0 0 1200 0
++ 600 600 600 nan
++ 600 600 600 600
++EOF
++], 1, ignore, [Spline control points out of range at line 8.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+
+ AT_SETUP([prepend fig file path to picture file name])
diff -Nru fig2dev-3.2.8b/debian/patches/42_CVE-2025-46398.patch fig2dev-3.2.8b/debian/patches/42_CVE-2025-46398.patch
--- fig2dev-3.2.8b/debian/patches/42_CVE-2025-46398.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/42_CVE-2025-46398.patch 2025-04-25 09:55:59.000000000 +0200
@@ -0,0 +1,20 @@
+From: Thomas Loimer <[email protected]>
+Date: Tue, 8 Apr 2025 21:34:23 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/5f22009
+Bug: https://sourceforge.net/p/mcj/tickets/191/
+Forwarded: not-needed
+Subject: Permit \0 in the second line in the fig file, #191
+ Fix CVE-2025-46398
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -181,7 +181,8 @@ read_objects(FILE *fp, F_compound *obj)
+ }
+
+ /* check for embedded '\0' */
+- if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++ if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 &&
++ buf[strlen(buf) - 1] != '\n')) {
+ put_msg("ASCII NUL ('\\0') character within the first line.");
+ exit(EXIT_FAILURE);
+ /* seek to the end of the first line
diff -Nru fig2dev-3.2.8b/debian/patches/43_CVE-2025-46399.patch fig2dev-3.2.8b/debian/patches/43_CVE-2025-46399.patch
--- fig2dev-3.2.8b/debian/patches/43_CVE-2025-46399.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/43_CVE-2025-46399.patch 2025-04-25 09:55:59.000000000 +0200
@@ -0,0 +1,27 @@
+From: Thomas Loimer <[email protected]>
+Date: Tue, 8 Apr 2025 22:45:57 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b
+Bug: https://sourceforge.net/p/mcj/tickets/190/
+Forwarded: not-needed
+Subject: ge output: correct spline computation, ticket #190
+ Fix CVE-2025-46399
+
+--- a/fig2dev/dev/genge.c
++++ b/fig2dev/dev/genge.c
+@@ -229,8 +229,6 @@ genge_itp_spline(F_spline *s)
+ int xmin, ymin;
+
+ a = s->controls;
+-
+- a = s->controls;
+ p = s->points;
+ /* go through the points to find the last two */
+ for (q = p->next; q != NULL; p = q, q = q->next) {
+@@ -238,6 +236,7 @@ genge_itp_spline(F_spline *s)
+ a = b;
+ }
+
++ a = s->controls;
+ p = s->points;
+ fprintf(tfp, "n %d %d m\n", p->x, p->y);
+ xmin = 999999;
diff -Nru fig2dev-3.2.8b/debian/patches/44_CVE-2025-46400.patch fig2dev-3.2.8b/debian/patches/44_CVE-2025-46400.patch
--- fig2dev-3.2.8b/debian/patches/44_CVE-2025-46400.patch 1970-01-01 01:00:00.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/44_CVE-2025-46400.patch 2025-04-25 09:55:59.000000000 +0200
@@ -0,0 +1,64 @@
+From: Thomas Loimer <[email protected]>
+Date: Sat, 25 Jan 2025 21:06:59 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0
+Bug: https://sourceforge.net/p/mcj/tickets/187/
+Forwarded: not-needed
+Subject: Reject arcs with a radius smaller than 3, #187
+ An arc with too small radius caused a crash in pict2e output. Instead
+ of dealing with such arcs in the pict2e driver, reject them already
+ when reading.
+ Fixes CVE-2025-46400
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,11 +92,14 @@ typedef struct f_ellipse {
+ struct f_ellipse *next;
+ } F_ellipse;
+
++#define RADIUS2_MIN 9
+ #define INVALID_ELLIPSE(e) \
+ e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \
+ COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+ e->radiuses.x == 0 || e->radiuses.y == 0 || \
++ e->radiuses.x + e->radiuses.y < RADIUS2_MIN || \
+ e->angle < -7. || e->angle > 7.
++ /* radiuses are set to positive in read.c */
+
+ typedef struct f_arc {
+ int type;
+@@ -131,7 +134,10 @@ typedef struct f_arc {
+ (a->direction != 0 && a->direction != 1) || \
+ COINCIDENT(a->point[0], a->point[1]) || \
+ COINCIDENT(a->point[0], a->point[2]) || \
+- COINCIDENT(a->point[1], a->point[2])
++ COINCIDENT(a->point[1], a->point[2]) || \
++ (a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) + \
++ (a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) < \
++ RADIUS2_MIN
+
+ typedef struct f_line {
+ int type;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -157,8 +157,10 @@ read_arcobject(FILE *fp)
+ a->pen_color = a->fill_color = BLACK_COLOR;
+ a->depth = 0;
+ a->pen = 0;
++ a->fill_style = 0;
+ a->for_arrow = NULL;
+ a->back_arrow = NULL;
++ a->cap_style = 0;
+ a->comments = NULL;
+ a->next = NULL;
+ n = fscanf(fp,
+@@ -329,6 +331,10 @@ read_ellipseobject(FILE *fp)
+ e->type = T_CIRCLE_BY_RAD;
+ else
+ e->type = T_CIRCLE_BY_DIA;
++ if (e->radiuses.x < 0)
++ e->radiuses.x *= -1;
++ if (e->radiuses.y < 0)
++ e->radiuses.y *= -1;
+ if (INVALID_ELLIPSE(e)) {
+ put_msg(Err_invalid, "ellipse");
+ free(e);
diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series
--- fig2dev-3.2.8b/debian/patches/series 2025-03-28 22:51:19.000000000 +0100
+++ fig2dev-3.2.8b/debian/patches/series 2025-04-25 09:55:59.000000000 +0200
@@ -10,3 +10,7 @@
38_CVE-2025-31162.patch
39_CVE-2025-31163.patch
40_CVE-2025-31164.patch
+41_CVE-2025-46397.patch
+42_CVE-2025-46398.patch
+43_CVE-2025-46399.patch
+44_CVE-2025-46400.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.12
Hi,
Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.
Regards,
Adam
--- End Message ---
