Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted fig2dev 1:3.2.6a-2+deb9u4 (source) into oldoldstable
Date: Mon, 04 Oct 2021 08:20:13 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 04 Oct 2021 09:30:34 +0200
Source: fig2dev
Architecture: source
Version: 1:3.2.6a-2+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Changes:
 fig2dev (1:3.2.6a-2+deb9u4) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Drop 41_CVE-2019-19555.patch and 32_fill-style-overflow.patch.
     These issues are fixed by the patch for CVE-2020-21534 now.
   * Refresh 31_input_sanitizing.patch.
   * Fix CVE-2019-19797:
     read_colordef in read.c in fig2dev has an out-of-bounds write.
   * Fix CVE-2020-21529:
     fig2dev contains a stack buffer overflow in the bezier_spline function in
     genepic.c.
   * Fix CVE-2020-21530:
     fig2dev contains a segmentation fault in the read_objects function
     in read.c.
   * Fix CVE-2020-21531:
     fig2dev contains a global buffer overflow in the conv_pattern_index
     function in gencgm.c.
   * Fix CVE-2020-21532:
     fig2dev contains a global buffer overflow in the setfigfont function
     in genepic.c.
   * Fix CVE-2020-21533:
     fig2dev contains a stack buffer overflow in the read_textobject
     function in read.c.
   * Fix CVE-2020-21534:
     fig2dev contains a global buffer overflow in the get_line function
     in read.c.
   * Fix CVE-2020-21535:
     fig2dev contains a segmentation fault in the gencgm_start function
     in gencgm.c.
   * Fix CVE-2020-21675:
     A stack-based buffer overflow in the genptk_text component in genptk.c of
     fig2dev allows attackers to cause a denial of service (DOS) via converting
     a xfig file into ptk format.
   * Fix CVE-2021-3561:
     An Out of Bounds flaw was found in fig2dev. A flawed bounds check in
     read_objects() could allow an attacker to provide a crafted malicious input
     causing the application to either crash or in some cases cause memory
     corruption. The highest threat from this vulnerability is to integrity as
     well as system availability.
   * Fix CVE-2021-32280:
     An issue was discovered in fig2dev. A NULL pointer dereference exists in
     the function compute_closed_spline() located in trans_spline.c. It allows
     an attacker to cause a Denial of Service.
Checksums-Sha1:
 ef1faf4782e6fc52637812d11cc896f55e48dfb4 2227 fig2dev_3.2.6a-2+deb9u4.dsc
 e09145435f3306010eb006f9d7e118fccf77cd2b 507820 fig2dev_3.2.6a.orig.tar.xz
 007383ae17fa44f2e66d5048d1f2973a32dacd67 226664 fig2dev_3.2.6a-2+deb9u4.debian.tar.xz
 92135339412cd6dcffa85ca7a17e24a00afadda0 6837 fig2dev_3.2.6a-2+deb9u4_source.buildinfo
Checksums-Sha256:
 f784d4e0fce7fda2d0e6732fa74628ae599e0726930b25eb604bc230299f05cb 2227 fig2dev_3.2.6a-2+deb9u4.dsc
 5e61a3d9a4f83db4b3199ee82dd54bb65b544369f1e8e38a2606c44cf71667a7 507820 fig2dev_3.2.6a.orig.tar.xz
 4917c0996ffaecc2a2130011e61f90576a5d2e3acad51748a630ed213f67dbe3 226664 fig2dev_3.2.6a-2+deb9u4.debian.tar.xz
 e47f0e44cd2324f110b49613fcddb3d1d916f90848bce5d4a7616753714ce496 6837 fig2dev_3.2.6a-2+deb9u4_source.buildinfo
Files:
 ee5550b607daf86112a421435143df27 2227 graphics optional fig2dev_3.2.6a-2+deb9u4.dsc
 f795a492cd9fa6d9abe0e11e581946f9 507820 graphics optional fig2dev_3.2.6a.orig.tar.xz
 a3c4cb56b38895133df1acdb2debaa19 226664 graphics optional fig2dev_3.2.6a-2+deb9u4.debian.tar.xz
 237b927fed6b722b0b209b095ea367d8 6837 graphics optional fig2dev_3.2.6a-2+deb9u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFatWVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkou0P/09aheoJydFQXifwbVlzhXGBHxlK3udWWns3
7zTjsjwUtJOF24ppO5frt6Ba/kw8Ah9B/SpziGpn/fL09zWDuBOEUEGeNXyvbY3b
LAujSmkbOBR0s+H60Ovg4oHUrxC9DPlOGeBBT1ElKuMj/iqvSOoMQvdtiGN+/e9Q
O8fTRFnX3Eqq4wWUVNs9bauDoRmXvmxZ4udITaWJll3TH0sl59YD2Ry9gcAAGl/7
OvNQWZCCGZcLoM8qxxF9q9M8+d2E5Uk0bGIqMyOi5uZzW8M4CAOLZjz54TaVKZKC
CKGZ1/NU9UgSpguZgP/8xS/+gfBVcAvGt8rLalGYrvxccepqZaW1VfzWTdrIGKdg
IH5fTlvNxczJ2Zd6tcxl82d4g35yW+uLfT6bxW2wS2vfwWm9hef/uGeV2k2D0lkc
YLTUPbB0VstRsTq2GRZOx4CWCHpUJCfbzu8QRGhPwWrR9CbWxXb+jHzwegWMHAFE
WJHKcY6dHNCOshMuWU0l5V+mIxX78axn/bH2A9+60iaPvirBSm4mK1/ncgJjPA2S
qqut0phape97nBsmxRanW0/aCR+n9i2T6Y1wYCFmxbJGL0VTPXCoZY0UpR1vSIUL
FgE8tWjJB3daNT8qStlNCyNoYyjg0Lmv5xDbmEUcAX+uPPekWHopBTsvZ5R8pi6V
meSXQb1N
=sL7b
-----END PGP SIGNATURE-----
News for package fig2dev
