Version in base suite: 3.2.8b-3 Base version: fig2dev_3.2.8b-3 Target version: fig2dev_3.2.8b-3+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/fig2dev/fig2dev_3.2.8b-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/fig2dev/fig2dev_3.2.8b-3+deb12u1.dsc changelog | 8 +++++ patches/38_CVE-2025-31162.patch | 27 +++++++++++++++++ patches/39_CVE-2025-31163.patch | 62 ++++++++++++++++++++++++++++++++++++++++ patches/40_CVE-2025-31164.patch | 48 ++++++++++++++++++++++++++++++ patches/series | 3 + salsa-ci.yml | 3 + 6 files changed, 151 insertions(+) diff -Nru fig2dev-3.2.8b/debian/changelog fig2dev-3.2.8b/debian/changelog --- fig2dev-3.2.8b/debian/changelog 2022-09-20 15:24:07.000000000 +0000 +++ fig2dev-3.2.8b/debian/changelog 2025-03-28 21:51:19.000000000 +0000 @@ -1,3 +1,11 @@ +fig2dev (1:3.2.8b-3+deb12u1) bookworm; urgency=medium + + * 38_CVE-2025-31162: Reject huge pattern lengths. + * 39_CVE-2025-31163: Reject arcs with co-incident points. + * 40_CVE-2025-31164: Allow an arc-box with zero radius. + + -- Roland Rosenfeld Fri, 28 Mar 2025 22:51:19 +0100 + fig2dev (1:3.2.8b-3) unstable; urgency=medium [ Roland Rosenfeld ] diff -Nru fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch --- fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch 1970-01-01 00:00:00.000000000 +0000 +++ fig2dev-3.2.8b/debian/patches/38_CVE-2025-31162.patch 2025-03-28 21:51:19.000000000 +0000 @@ -0,0 +1,27 @@ +From: Thomas Loimer +Date: Wed, 22 Jan 2025 23:18:54 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/da8992f +Bug: https://sourceforge.net/p/mcj/tickets/185/ +Forwarded: not-needed +Subject: Reject huge pattern lengths, ticket #185 + Reject patterned lines, e.g., dashed lines, where the pattern length exceeds + 80 inches. + This fixes CVE-2025-31162 + +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -57,12 +57,13 @@ typedef struct f_comment { + struct f_comment *next; + } F_comment; + ++#define STYLE_VAL_MAX 6400.0 /* dash length 80 inches, that is enough */ + #define COMMON_PROPERTIES(o) \ + o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \ + o->thickness < 0 || o->depth < 0 || o->depth > 999 || \ + o->fill_style < UNFILLED || \ + o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \ +- o->style_val < 0.0 ++ o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX + + typedef struct f_ellipse { + int type; diff -Nru fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch --- fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch 1970-01-01 00:00:00.000000000 +0000 +++ fig2dev-3.2.8b/debian/patches/39_CVE-2025-31163.patch 2025-03-28 21:51:19.000000000 +0000 @@ -0,0 +1,62 @@ +From: Thomas Loimer +Date: Wed, 22 Jan 2025 23:27:43 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c8a87d2 +Bug: https://sourceforge.net/p/mcj/tickets/186/ +Forwarded: not-needed +Subject: Reject arcs with co-incident points, ticket #186 + This fixes CVE-2025-31163. + +--- a/fig2dev/object.h ++++ b/fig2dev/object.h +@@ -92,10 +92,10 @@ typedef struct f_ellipse { + struct f_ellipse *next; + } F_ellipse; + +-#define INVALID_ELLIPSE(e) \ ++#define INVALID_ELLIPSE(e) \ + e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \ +- COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ +- e->radiuses.x == 0 || e->radiuses.y == 0 || \ ++ COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \ ++ e->radiuses.x == 0 || e->radiuses.y == 0 || \ + e->angle < -7. || e->angle > 7. + + typedef struct f_arc { +@@ -122,12 +122,16 @@ typedef struct f_arc { + struct f_arc *next; + } F_arc; + +-#define INVALID_ARC(a) \ ++#define COINCIDENT(a, b) (a.x == b.x && a.y == b.y) ++#define INVALID_ARC(a) \ + a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC || \ + COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 || \ + a->center.x < COORD_MIN || a->center.x > COORD_MAX || \ + a->center.y < COORD_MIN || a->center.y > COORD_MAX || \ +- (a->direction != 0 && a->direction != 1) ++ (a->direction != 0 && a->direction != 1) || \ ++ COINCIDENT(a->point[0], a->point[1]) || \ ++ COINCIDENT(a->point[0], a->point[2]) || \ ++ COINCIDENT(a->point[1], a->point[2]) + + typedef struct f_line { + int type; +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -223,6 +223,16 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([reject arcs with coincident points, ticket #186]) ++AT_KEYWORDS(read.c arc) ++AT_CHECK([fig2dev -L pict2e < +Date: Tue, 21 Jan 2025 20:50:15 +0100 +Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/ff9aba2 +Forwarded: not-needed +Bug: https://sourceforge.net/p/mcj/tickets/184/ +Subject: Allow an arc-box with zero radius, ticket #184 + In the pict2e output, a rectangle with rounded corners, dashed line type and + zero corner-radius would cause a crash. Convert rectangles with rounded + corners and zero corner-radius to regular rectangles. + This fixes CVE-2025-31164. + +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -960,6 +960,14 @@ sanitize_lineobject( + return 0; + } + ++ if (l->type == T_ARC_BOX && l->radius == 0) { ++ put_msg("A %s, but zero corner radius " ++ "at line %d - convert " ++ "to a rectangle.", ++ obj_name[l->type - 2], ++ line_no); ++ l->type = T_BOX; ++ } + if ((l->type == T_BOX || l->type == T_POLYGON || + l->type == T_ARC_BOX || l->type == T_PIC_BOX) && + l->points->next && l->points->next->next && +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -109,6 +109,17 @@ EOF + ]) + AT_CLEANUP + ++AT_SETUP([convert an arc-box with zero radius to a box]) ++AT_KEYWORDS(read.c arc-box) ++AT_CHECK([fig2dev -L pict2e <