1

2021-12-27 18:17:14 +08:00 · 2021-12-27 18:17:14 +08:00 · 7a1a5f386e
commit 7a1a5f386e
parent ba697ad26c
4 changed files with 71 additions and 71 deletions
--- a/backport-CVE-2020-18032.patch
+++ b/backport-CVE-2020-18032.patch
@ -1,40 +0,0 @@
 From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
 From: Matthew Fernandez <matthew.fernandez@gmail.com>
 Date: Sat, 25 Jul 2020 19:31:01 -0700
 Subject: [PATCH] fix: out-of-bounds write on invalid label
 When the label for a node cannot be parsed (due to it being malformed), it falls
 back on the symbol name of the node itself. I.e. the default label the node
 would have had if it had no label attribute at all. However, this is applied by
 dynamically altering the node's label to "\N", a shortcut for the symbol name of
 the node. All of this is fine, however if the hand written label itself is
 shorter than the literal string "\N", not enough memory would have been
 allocated to write "\N" into the label text.
 Here we account for the possibility of error during label parsing, and assume
 that the label text may need to be overwritten with "\N" after the fact. Fixes
 issue #1700.
 ---
 lib/common/shapes.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/lib/common/shapes.c b/lib/common/shapes.c
 index 0a0635fc3..9dca9ba6e 100644
 --- a/lib/common/shapes.c
 +++ b/lib/common/shapes.c
@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
     reclblp = ND_label(n)->text;
     len = strlen(reclblp);
     /* For some forgotten reason, an empty label is parsed into a space, so
 -     * we need at least two bytes in textbuf.
 +     * we need at least two bytes in textbuf, as well as accounting for the
 +     * error path involving "\\N" below.
      */
 -    len = MAX(len, 1);
 +    len = MAX(MAX(len, 1), (int)strlen("\\N"));
     textbuf = N_NEW(len + 1, char);
     if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
 	agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
 -- 
 GitLab
--- a/backport-graphviz-2.48.0-gvpack-neato-static.patch
+++ b/backport-graphviz-2.48.0-gvpack-neato-static.patch
@ -0,0 +1,15 @@
 diff --git a/cmd/tools/Makefile.am b/cmd/tools/Makefile.am
 index 4978fea..9fbe2e2 100644
 --- a/cmd/tools/Makefile.am
 +++ b/cmd/tools/Makefile.am
@@ -249,7 +249,9 @@ gvpack_LDADD = \
 	$(top_builddir)/lib/ingraphs/libingraphs_C.la \
 	$(top_builddir)/lib/cgraph/libcgraph.la \
 	$(top_builddir)/lib/cdt/libcdt.la \
 -	$(top_builddir)/plugin/neato_layout/libgvplugin_neato_layout.la
 +	$(top_builddir)/plugin/neato_layout/libgvplugin_neato_layout_C.la \
 +	$(top_builddir)/lib/pathplan/libpathplan_C.la \
 +		$(EXPAT_LIBS) $(Z_LIBS) $(GTS_LIBS) $(SOCKET_LIBS) $(IPSEPCOLA_LIBS) $(MATH_LIBS)
 # add a non-existent C++ source to force the C++ compiler to be used for
 # linking, so the C++ standard library is included for our C++ dependencies
--- a/graphviz-2.48.0.tar.gz
+++ b/graphviz-2.48.0.tar.gz
--- a/graphviz.spec
+++ b/graphviz.spec
@ -6,28 +6,26 @@
 %global ini_name     40-%{name}.ini
 %endif
 %global pluginsver 6
 %global php_extdir %(php-config --extension-dir 2>/dev/null || echo %{_libdir}/php4)
 Name:               graphviz
-Version:            2.44.1
+Version:            2.48.0
-Release:            4
+Release:            1
 Summary:            Graph Visualization Tools
-License:            EPL
+License:            EPL-1.0
 URL:                http://www.graphviz.org/
 Source0:            https://gitlab.com/graphviz/graphviz/-/archive/%{version}/graphviz-%{version}.tar.gz
-Patch6000:          backport-CVE-2020-18032.patch
+Patch6000:          backport-graphviz-2.48.0-gvpack-neato-static.patch
 BuildRequires:      gcc-g++
 BuildRequires:      ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33
 BuildRequires:      zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3
 BuildRequires:      python3-devel libXaw-devel libSM-devel libXext-devel java-devel pango-devel gmp-devel lua-devel gtk2-devel cairo-devel >= 1.1.10
-BuildRequires:      ghostscript libgs-devel gd-devel perl-devel
+BuildRequires:      ghostscript libgs-devel gd-devel perl-devel chrpath
 %if %{with php}
 BuildRequires:      php-devel
@ -36,10 +34,8 @@ BuildRequires:      php-devel
 Requires:           urw-base35-fonts xorg-x11-fonts-ISO8859-1-100dpi guile glibc
 Requires(post):     glibc
 Requires(postun):   glibc
-
+Provides:           %{name}-guile
-Provides:           %{name}-gd %{name}-graphs %{name}-guile
+Obsoletes:          %{name}-guile
 Obsoletes:          %{name}-gd %{name}-graphs %{name}-guile
 %description
 Graphviz is open source graph visualization software. Graph visualization is a way of representing structural
@ -60,6 +56,29 @@ Summary: Documentation files for graphviz
 %description docs
 The docs package contains documentation files.
 %package gd
 Summary:		Graphviz plugin for renderers based on gd
 Requires:		%{name} = %{version}-%{release}
 Requires(post):		%{_bindir}/dot /sbin/ldconfig
 Requires(postun):	%{_bindir}/dot /sbin/ldconfig
 %description gd
 Graphviz plugin for renderers based on gd.  (Unless you absolutely have to use
 GIF, you are recommended to use the PNG format instead because of the better
 quality anti-aliased lines provided by the cairo+pango based renderer.)
 %package graphs
 Summary:		Demo graphs for graphviz
 %description graphs
 Some demo graphs for graphviz.
 %package guile
 Summary:		Guile extension for graphviz
 Requires:		%{name} = %{version}-%{release} guile
 %description guile
 Guile extension for graphviz.
 %package java
 Summary:             Java extension for graphviz
@ -82,7 +101,6 @@ Requires:            %{name} = %{version}-%{release} ocaml
 %description ocaml
 Ocaml extension for graphviz.
 %package perl
 Summary:             Perl extension for graphviz
 Requires:            %{name} = %{version}-%{release} perl
@ -93,14 +111,11 @@ Perl extension for graphviz.
 %package ruby
 Summary:             Ruby extension for graphviz
 Requires:            %{name} = %{version}-%{release} ruby
 %description ruby
 Ruby extension for graphviz.
 %package tcl
 Summary:             Tcl extension & tools for graphviz
 Requires:            %{name} = %{version}-%{release} tcl >= 8.3 tk
 %description tcl
 Various tcl packages (extensions) for the graphviz tools.
@ -117,13 +132,11 @@ PHP extension for graphviz.
 %package python3
 Summary:             Python 3 extension for graphviz
 Requires:            %{name} = %{version}-%{release}
-Provides:            python3dist(gv) = %{version} python%{python3_version}dist(gv) = %{version}
+Provides:            python3dist(gv) = %{version}   %{python3_version}dist(gv) = %{version}
 %description python3
 Python 3 extension for graphviz.
 %prep
 %autosetup -n graphviz-%{version} -p1
@ -143,13 +156,17 @@ export CPPFLAGS=-I`ruby -e "puts File.join(RbConfig::CONFIG['includedir'], RbCon
        --without-lasi --without-gts --disable-sharp --without-ming \
        --disable-r  --without-devil  --without-qt
 # drop rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \
  CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \
  PYTHON_INCLUDES=`python3-config --includes` PYTHON_LIBS=`python3-config --libs` \
  PYTHON_INSTALL_DIR=%{python3_sitearch} PYTHON=%{__python3}
 %install
 rm -rf %{buildroot}
 make DESTDIR=%{buildroot} \
 	docdir=%{buildroot}%{_docdir}/%{name} \
 	pkgconfigdir=%{_libdir}/pkgconfig \
@ -167,7 +184,6 @@ extension=gv.so
 __EOF__
 %endif
 find $RPM_BUILD_ROOT%{_datadir}/%{name}/demo -type f -exec chmod a-x {} ';'
 chmod -x $RPM_BUILD_ROOT%{_datadir}/%{name}/lefty/*
@ -180,6 +196,9 @@ popd
 rm -rf $RPM_BUILD_ROOT%{_libdir}/graphviz/python
 chrpath -d $RPM_BUILD_ROOT%{_bindir}/gvpack
 mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
 echo "%{_libdir}/graphviz" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 touch $RPM_BUILD_ROOT%{_libdir}/graphviz/config%{pluginsver}
 %check
@ -193,46 +212,42 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/
 %preun
 %post
 /sbin/ldconfig
 %{_bindir}/dot -c
 %postun -p /sbin/ldconfig
 %files
 %defattr(-,root,root)
 %doc README
 %{_bindir}/*
 %dir %{_libdir}/graphviz
 %{_libdir}/*.so.*
 %{_libdir}/graphviz/*.so.*
 %{_libdir}/graphviz/guile/
 %dir %{_datadir}/graphviz
 %{_datadir}/graphviz/
 %ghost %{_libdir}/graphviz/config%{pluginsver}
 %exclude %{_bindir}/dot_builtins
 %config(noreplace) /etc/ld.so.conf.d/*
 %if %{with php}
 %files php
-%config(noreplace) %{_sysconfdir}/php.d/%{ini_name}
+%config(noreplace) 
 %{_sysconfdir}/php.d/%{ini_name}
 %{_libdir}/graphviz/php/
 %{php_extdir}/gv.so
 %{_datadir}/php*/*
 %endif
-
+%exclude %{_libdir}/graphviz/*/*
 %exclude %{_libdir}/graphviz/libgvplugin_gd.*
 %files  devel
 %{_includedir}/graphviz
 %{_libdir}/*.so
 %{_libdir}/graphviz/*.so
 %{_libdir}/pkgconfig/*.pc
 %files docs
 %defattr(644,root,root)
 %doc %{_datadir}/%{name}/doc
@ -240,6 +255,15 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/
 %{_mandir}/man1/*
 %{_mandir}/man3/*
 %{_mandir}/man7/*
 %files gd
 %{_libdir}/graphviz/libgvplugin_gd.so.*
 %files graphs
 %dir %{_datadir}/graphviz
 %{_datadir}/graphviz/graphs
 %files guile
 %{_libdir}/graphviz/guile/
 %files java
 %{_libdir}/graphviz/java/
@ -267,9 +291,10 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/
 %{_libdir}/graphviz/tcl/
 %{_libdir}/tcl*/*
 %changelog
 * Wed Dec 15 2021 wuchaochao <wuchaochao4@huawei.com> - 2.48.0-1
 - update version to 2.48.0
 * Wed May 26 2021 liuyumeng <liuyumeng5@huawei.com> -2.44.1-4
 - Add a BuildRequires for gcc-g++