Version in base suite: 3.2.8b-3

Base version: fig2dev_3.2.8b-3
Target version: fig2dev_3.2.8b-3+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/fig2dev/fig2dev_3.2.8b-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/fig2dev/fig2dev_3.2.8b-3+deb12u1.dsc

 changelog                       |    8 +++++
 patches/38_CVE-2025-31162.patch |   27 +++++++++++++++++
 patches/39_CVE-2025-31163.patch |   62 ++++++++++++++++++++++++++++++++++++++++
 patches/40_CVE-2025-31164.patch |   48 ++++++++++++++++++++++++++++++
 patches/series                  |    3 +
 salsa-ci.yml                    |    3 +
 6 files changed, 151 insertions(+)

diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog
--- fig2dev-3.2.8b/debian/changelog	2022-09-20 15:24:07.000000000 +0000
+++ fig2dev-3.2.8b/debian/changelog	2025-03-28 21:51:19.000000000 +0000
@@ -1,3 +1,11 @@
+fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium
+
+  * 38_CVE-2025-31162: Reject huge pattern lengths.
+  * 39_CVE-2025-31163: Reject arcs with co-incident points.
+  * 40_CVE-2025-31164: Allow an arc-box with zero radius.
+
+ -- Roland Rosenfeld <roland@debian.org>  Fri, 28 Mar 2025 22:51:19 +0100
+
 fig2dev (1:3.2.8b-3) unstable; urgency=medium
 
   [ Roland Rosenfeld ]
diff -Nru fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch
--- fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch	1970-01-01 00:00:00.000000000 +0000
+++ fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch	2025-03-28 21:51:19.000000000 +0000
@@ -0,0 +1,27 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 22 Jan 2025 23:18:54 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/da8992f
+Bug: https://sourceforge.net/p/mcj/tickets/185/
+Forwarded: not-needed
+Subject: Reject huge pattern lengths, ticket #185
+ Reject patterned lines, e.g., dashed lines, where the pattern length exceeds
+ 80 inches.
+ This fixes CVE-2025-31162
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -57,12 +57,13 @@ typedef struct f_comment {
+ 	struct f_comment	*next;
+ } F_comment;
+ 
++#define	STYLE_VAL_MAX	6400.0	/* dash length 80 inches, that is enough */
+ #define COMMON_PROPERTIES(o)						\
+ 	o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE ||		\
+ 	o->thickness < 0 || o->depth < 0 || o->depth > 999 ||		\
+ 	o->fill_style < UNFILLED ||					\
+ 	o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
+-	o->style_val < 0.0
++	o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX
+ 
+ typedef struct f_ellipse {
+ 	int			type;
diff -Nru fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch
--- fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch	1970-01-01 00:00:00.000000000 +0000
+++ fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch	2025-03-28 21:51:19.000000000 +0000
@@ -0,0 +1,62 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 22 Jan 2025 23:27:43 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c8a87d2
+Bug: https://sourceforge.net/p/mcj/tickets/186/
+Forwarded: not-needed
+Subject: Reject arcs with co-incident points, ticket #186
+ This fixes CVE-2025-31163.
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,10 +92,10 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
+-#define INVALID_ELLIPSE(e)	\
++#define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+-	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
++	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
+ 	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+@@ -122,12 +122,16 @@ typedef struct f_arc {
+ 	struct f_arc		*next;
+ } F_arc;
+ 
+-#define INVALID_ARC(a)	\
++#define COINCIDENT(a, b)	(a.x == b.x && a.y == b.y)
++#define INVALID_ARC(a)							\
+ 	a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC ||		\
+ 	COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 ||	\
+ 	a->center.x < COORD_MIN || a->center.x > COORD_MAX ||		\
+ 	a->center.y < COORD_MIN || a->center.y > COORD_MAX ||		\
+-	(a->direction != 0 && a->direction != 1)
++	(a->direction != 0 && a->direction != 1) ||			\
++	COINCIDENT(a->point[0], a->point[1]) ||				\
++	COINCIDENT(a->point[0], a->point[2]) ||				\
++	COINCIDENT(a->point[1], a->point[2])
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -223,6 +223,16 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject arcs with coincident points, ticket #186])
++AT_KEYWORDS(read.c arc)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0
++EOF
++], 1, ignore, [Invalid arc object at line 10.
++])
++AT_CLEANUP
++
+ AT_SETUP([survive debian bugs #881143, #881144])
+ AT_KEYWORDS([font pic tikz])
+ AT_CHECK([fig2dev -L pic <<EOF
diff -Nru fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch
--- fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch	1970-01-01 00:00:00.000000000 +0000
+++ fig2dev-3.2.8b/debian/patches/40_CVE-2025-31164.patch	2025-03-28 21:51:19.000000000 +0000
@@ -0,0 +1,48 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 21 Jan 2025 20:50:15 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/ff9aba2
+Forwarded: not-needed
+Bug: https://sourceforge.net/p/mcj/tickets/184/
+Subject: Allow an arc-box with zero radius, ticket #184
+ In the pict2e output, a rectangle with rounded corners, dashed line type and
+ zero corner-radius would cause a crash. Convert rectangles with rounded
+ corners and zero corner-radius to regular rectangles.
+ This fixes CVE-2025-31164.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -960,6 +960,14 @@ sanitize_lineobject(
+ 	    return 0;
+ 	}
+ 
++	if (l->type == T_ARC_BOX && l->radius == 0) {
++		put_msg("A %s, but zero corner radius "
++			"at line %d - convert "
++			"to a rectangle.",
++			obj_name[l->type - 2],
++			line_no);
++			l->type = T_BOX;
++	}
+ 	if ((l->type == T_BOX || l->type == T_POLYGON ||
+ 			l->type == T_ARC_BOX || l->type == T_PIC_BOX) &&
+ 		l->points->next && l->points->next->next &&
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -109,6 +109,17 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert an arc-box with zero radius to a box])
++AT_KEYWORDS(read.c arc-box)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5
++	0 0 300 0 300 300 0 300 0 0
++EOF
++],0,ignore,[A rectangle with rounded corners, but zero corner radius at line 11 - convert to a rectangle.
++])
++AT_CLEANUP
++
+ AT_SETUP([fail on a malformed arc-box])
+ AT_KEYWORDS(read.c malformed arc-box)
+ AT_CHECK([fig2dev -L pict2e <<EOF
diff -Nru fig2dev-3.2.8b/debian/patches/series fig2dev-3.2.8b/debian/patches/series
--- fig2dev-3.2.8b/debian/patches/series	2022-09-20 15:24:07.000000000 +0000
+++ fig2dev-3.2.8b/debian/patches/series	2025-03-28 21:51:19.000000000 +0000
@@ -7,3 +7,6 @@
 35_pict2e_output.patch
 36_arrowhead.patch
 37_arrow2point.patch
+38_CVE-2025-31162.patch
+39_CVE-2025-31163.patch
+40_CVE-2025-31164.patch
diff -Nru fig2dev-3.2.8b/debian/salsa-ci.yml fig2dev-3.2.8b/debian/salsa-ci.yml
--- fig2dev-3.2.8b/debian/salsa-ci.yml	2022-09-20 15:24:07.000000000 +0000
+++ fig2dev-3.2.8b/debian/salsa-ci.yml	2025-03-28 21:51:19.000000000 +0000
@@ -1,3 +1,6 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bookworm'