From 4839e5338e2503e91f87051cb8c5a40245968d8e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 05 2021 22:46:19 +0000 Subject: import graphviz-2.40.1-43.el8 --- diff --git a/SOURCES/graphviz-2.40.1-CVE-2020-18032.patch b/SOURCES/graphviz-2.40.1-CVE-2020-18032.patch new file mode 100644 index 0000000..9332d1b --- /dev/null +++ b/SOURCES/graphviz-2.40.1-CVE-2020-18032.patch @@ -0,0 +1,17 @@ +diff --git a/lib/common/shapes.c b/lib/common/shapes.c +index 61e4fe1..8d18502 100644 +--- a/lib/common/shapes.c ++++ b/lib/common/shapes.c +@@ -3545,9 +3545,10 @@ static void record_init(node_t * n) + reclblp = ND_label(n)->text; + len = strlen(reclblp); + /* For some forgotten reason, an empty label is parsed into a space, so +- * we need at least two bytes in textbuf. ++ * we need at least two bytes in textbuf, as well as accounting for the ++ * error path involving "\\N" below. + */ +- len = MAX(len, 1); ++ len = MAX(MAX(len, 1), (int)strlen("\\N")); + textbuf = N_NEW(len + 1, char); + if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) { + agerr(AGERR, "bad label format %s\n", ND_label(n)->text); diff --git a/SOURCES/graphviz-2.40.1-makefile-docs-fix.patch b/SOURCES/graphviz-2.40.1-makefile-docs-fix.patch new file mode 100644 index 0000000..fa72531 --- /dev/null +++ b/SOURCES/graphviz-2.40.1-makefile-docs-fix.patch @@ -0,0 +1,16 @@ +diff --git a/tclpkg/gv/Makefile.am b/tclpkg/gv/Makefile.am +index 0b0b1f1..d42bf57 100644 +--- a/tclpkg/gv/Makefile.am ++++ b/tclpkg/gv/Makefile.am +@@ -451,7 +451,10 @@ pdf = gv.3sharp.pdf gv.3go.pdf gv.3guile.pdf gv.3io.pdf gv.3java.pdf gv.3lua.pdf + gv.3ruby.pdf gv.3tcl.pdf + + +-$(man): gv.i gv_doc_writer.tcl gv_doc_template.tcl gv_doc_langs.tcl ++$(man): gv_doc_writer.intermediate ; ++ ++.INTERMEDIATE: gv_doc_writer.intermediate ++gv_doc_writer.intermediate: gv.i gv_doc_writer.tcl gv_doc_template.tcl gv_doc_langs.tcl + $(TCLSH) $(srcdir)/gv_doc_writer.tcl "$(srcdir)" + + gv.3sharp.pdf: gv.3sharp diff --git a/SPECS/graphviz.spec b/SPECS/graphviz.spec index de7bec5..cdd9f53 100644 --- a/SPECS/graphviz.spec +++ b/SPECS/graphviz.spec @@ -61,7 +61,7 @@ Name: graphviz Summary: Graph Visualization Tools Version: 2.40.1 -Release: 40%{?dist} +Release: 43%{?dist} License: EPL-1.0 URL: http://www.graphviz.org/ # A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371 @@ -73,6 +73,8 @@ Patch2: graphviz-2.40.1-CVE-2018-10196.patch # rhbz#1505230 Patch3: graphviz-2.40.1-dotty-menu-fix.patch Patch4: graphviz-2.40.1-coverity-scan-fixes.patch +Patch5: graphviz-2.40.1-CVE-2020-18032.patch +Patch6: graphviz-2.40.1-makefile-docs-fix.patch BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig BuildRequires: fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel @@ -289,6 +291,8 @@ Various tcl packages (extensions) for the graphviz tools. %patch2 -p1 -b .CVE-2018-10196 %patch3 -p1 -b .dotty-menu-fix %patch4 -p1 -b .coverity-scan-fixes +%patch5 -p1 -b .CVE-2020-18032 +%patch6 -p1 -b .makefile-docs-fix # Attempt to fix rpmlint warnings about executable sources find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' @@ -608,6 +612,18 @@ php --no-php-ini \ %{_mandir}/man3/*.3tcl* %changelog +* Tue Jun 8 2021 Jaroslav Škarvada - 2.40.1-43 +- Fixed races during pdf documentation build which should build docs correctly + Related: CVE-2020-18032 + +* Tue Jun 8 2021 Jaroslav Škarvada - 2.40.1-42 +- Rebuilt, because pdf documentation were built incorrectly + Related: CVE-2020-18032 + +* Tue Jun 8 2021 Jaroslav Škarvada - 2.40.1-41 +- Fixed buffer overflow in lib/common/shapes.c + Resolves: CVE-2020-18032 + * Fri Nov 1 2019 Jaroslav Škarvada - 2.40.1-40 - Release bump for releasing graphviz-python3 in CRB Resolves: rhbz#1704875