diff --git a/CVE-2019-11023.patch b/CVE-2019-11023.patch new file mode 100644 index 0000000..325348a --- /dev/null +++ b/CVE-2019-11023.patch @@ -0,0 +1,131 @@ +From 839085f8026afd6f6920a0c31ad2a9d880d97932 Mon Sep 17 00:00:00 2001 +From: Stephen C North +Date: Tue, 9 Apr 2019 12:38:23 -0400 +Subject: [PATCH] attempted fix for null pointer deference on malformed input + +--- + cmd/tools/graphml2gv.c | 36 +++++++++++++++++++++--------------- + lib/cgraph/grammar.y | 8 ++++++++ + lib/cgraph/obj.c | 2 ++ + 3 files changed, 31 insertions(+), 15 deletions(-) + +diff --git a/cmd/tools/graphml2gv.c b/cmd/tools/graphml2gv.c +index f4798089e..b9fc9730c 100644 +--- a/cmd/tools/graphml2gv.c ++++ b/cmd/tools/graphml2gv.c +@@ -468,8 +468,10 @@ startElementHandler(void *userData, const char *name, const char **atts) + if (pos > 0) { + const char *attrname; + attrname = atts[pos]; +- +- bind_node(attrname); ++ if (G == 0) ++ fprintf(stderr,"node %s outside graph, ignored\n",attrname); ++ else ++ bind_node(attrname); + + pushString(&ud->elements, attrname); + } +@@ -495,21 +497,25 @@ startElementHandler(void *userData, const char *name, const char **atts) + if (tname) + head = tname; + +- bind_edge(tail, head); ++ if (G == 0) ++ fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head); ++ else { ++ bind_edge(tail, head); + +- t = AGTAIL(E); +- tname = agnameof(t); ++ t = AGTAIL(E); ++ tname = agnameof(t); + +- if (strcmp(tname, tail) == 0) { +- ud->edgeinverted = FALSE; +- } else if (strcmp(tname, head) == 0) { +- ud->edgeinverted = TRUE; +- } ++ if (strcmp(tname, tail) == 0) { ++ ud->edgeinverted = FALSE; ++ } else if (strcmp(tname, head) == 0) { ++ ud->edgeinverted = TRUE; ++ } + +- pos = get_xml_attr("id", atts); +- if (pos > 0) { +- setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud); +- } ++ pos = get_xml_attr("id", atts); ++ if (pos > 0) { ++ setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud); ++ } ++ } + } else { + /* must be some extension */ + fprintf(stderr, +@@ -530,7 +536,7 @@ static void endElementHandler(void *userData, const char *name) + char *ele_name = topString(ud->elements); + if (ud->closedElementType == TAG_GRAPH) { + Agnode_t *node = agnode(root, ele_name, 0); +- agdelete(root, node); ++ if (node) agdelete(root, node); + } + popString(&ud->elements); + Current_class = TAG_GRAPH; +diff --git a/lib/cgraph/grammar.y b/lib/cgraph/grammar.y +index 90aa27387..127a7241a 100644 +--- a/lib/cgraph/grammar.y ++++ b/lib/cgraph/grammar.y +@@ -22,6 +22,7 @@ extern void yyerror(char *); /* gets mapped to aagerror, see below */ + #endif + + static char Key[] = "key"; ++static int SubgraphDepth = 0; + + typedef union s { /* possible items in generic list */ + Agnode_t *n; +@@ -542,6 +543,7 @@ static void startgraph(char *name, int directed, int strict) + static Agdesc_t req; /* get rid of warnings */ + + if (G == NILgraph) { ++ SubgraphDepth = 0; + req.directed = directed; + req.strict = strict; + req.maingraph = TRUE; +@@ -562,6 +564,11 @@ static void endgraph() + + static void opensubg(char *name) + { ++ if (++SubgraphDepth >= YYMAXDEPTH/2) { ++ char buf[128]; ++ sprintf(buf,"subgraphs nested more than %d deep",YYMAXDEPTH); ++ agerr(AGERR,buf); ++ } + S = push(S,agsubg(S->g,name,TRUE)); + agstrfree(G,name); + } +@@ -569,6 +576,7 @@ static void opensubg(char *name) + static void closesubg() + { + Agraph_t *subg = S->g; ++ --SubgraphDepth; + S = pop(S); + S->subg = subg; + assert(subg); +diff --git a/lib/cgraph/obj.c b/lib/cgraph/obj.c +index 7b1c8c101..709774e3d 100644 +--- a/lib/cgraph/obj.c ++++ b/lib/cgraph/obj.c +@@ -168,6 +168,8 @@ void agdelcb(Agraph_t * g, void *obj, Agcbstack_t * cbstack) + + Agraph_t *agroot(void* obj) + { ++ // fixes CVE-2019-11023 by moving the problem to the caller :-) ++ if (obj == 0) return NILgraph; + switch (AGTYPE(obj)) { + case AGINEDGE: + case AGOUTEDGE: +-- +2.21.0 + diff --git a/elimination-define-difference.patch b/elimination-define-difference.patch new file mode 100644 index 0000000..cc6d3ab --- /dev/null +++ b/elimination-define-difference.patch @@ -0,0 +1,32 @@ +/lib/sfio/features/sfio b/lib/sfio/features/sfio +--- a/lib/sfio/features/sfio 2018-01-01 00:00:00.000000000 +0000 ++++ b/lib/sfio/features/sfio 2018-01-01 00:00:00.000000000 +0000 +@@ -89,7 +89,7 @@ lib memchr note{ see if memchr is fast } + t2 = (etm2.tms_utime - stm2.tms_utime) + + (etm2.tms_stime - stm2.tms_stime); + +- return t1 < t2 ? 0 : 1; ++ return 1; + } + }end + +@@ -130,7 +130,7 @@ lib memccpy note{ see if memccpy is fast + t2 = (etm2.tms_utime - stm2.tms_utime) + + (etm2.tms_stime - stm2.tms_stime); + +- return t1 < t2 ? 0 : 1; ++ return 1; + } + }end + +@@ -260,10 +260,6 @@ tst output{ + + unlink(file); + +- if(4*mmtm <= 3*rdtm) /* mmap is great! */ +- printf("#define _mmap_worthy 2 \n"); +- else if(4*mmtm <= 5*rdtm) /* mmap is good */ +- printf("#define _mmap_worthy 1 \n"); + + return 0; + } diff --git a/graphviz-2.40.1-CVE-2018-10196.patch b/graphviz-2.40.1-CVE-2018-10196.patch new file mode 100644 index 0000000..7b7587b --- /dev/null +++ b/graphviz-2.40.1-CVE-2018-10196.patch @@ -0,0 +1,16 @@ +diff --git a/lib/dotgen/conc.c b/lib/dotgen/conc.c +--- a/lib/dotgen/conc.c ++++ b/lib/dotgen/conc.c +@@ -159,7 +159,11 @@ static void rebuild_vlists(graph_t * g) + + for (r = GD_minrank(g); r <= GD_maxrank(g); r++) { + lead = GD_rankleader(g)[r]; +- if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) { ++ if (lead == NULL) { ++ agerr(AGERR, "rebuiltd_vlists: lead is null for rank %d\n", r); ++ longjmp(jbuf, 1); ++ } ++ else if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) { + agerr(AGERR, "rebuiltd_vlists: rank lead %s not in order %d of rank %d\n", + agnameof(lead), ND_order(lead), r); + longjmp(jbuf, 1); diff --git a/graphviz-2.40.1-dotty-menu-fix.patch b/graphviz-2.40.1-dotty-menu-fix.patch new file mode 100644 index 0000000..8c5f34a --- /dev/null +++ b/graphviz-2.40.1-dotty-menu-fix.patch @@ -0,0 +1,22 @@ +diff --git a/cmd/dotty/dotty_ui.lefty b/cmd/dotty/dotty_ui.lefty +index a8c9116..a708c61 100644 +--- a/cmd/dotty/dotty_ui.lefty ++++ b/cmd/dotty/dotty_ui.lefty +@@ -342,7 +342,7 @@ dotty.protovt.normal.uifuncs = [ + else + gt.insertedge (gt, data.pobj, null, data.obj, null, null, 1); + }; +- 'rightdown' = function (data) { ++ 'rightup' = function (data) { + local vt, gt, menu, i; + + vt = dotty.views[data.widget]; +@@ -447,7 +447,7 @@ dotty.protovt.birdseye.uifuncs = [ + 'middledown' = dotty.protovt.normal.uifuncs.middledown; + 'middlemove' = dotty.protovt.normal.uifuncs.middlemove; + 'middleup' = dotty.protovt.normal.uifuncs.middleup; +- 'rightdown' = dotty.protovt.normal.uifuncs.rightdown; ++ 'rightup' = dotty.protovt.normal.uifuncs.rightup; + 'keyup' = dotty.protovt.normal.uifuncs.keyup; + 'redraw' = dotty.protovt.normal.uifuncs.redraw; + 'closeview' = dotty.protovt.normal.uifuncs.closeview; diff --git a/graphviz-2.40.1-python3.patch b/graphviz-2.40.1-python3.patch new file mode 100644 index 0000000..6e6c172 --- /dev/null +++ b/graphviz-2.40.1-python3.patch @@ -0,0 +1,58 @@ +diff --git a/config/config_python.py b/config/config_python.py +index b747045..2b1ac8d 100644 +--- a/config/config_python.py ++++ b/config/config_python.py +@@ -1,12 +1,13 @@ ++from __future__ import print_function ++ + import sys + from distutils import sysconfig + + if sys.argv[1] == "archlib": +- print sysconfig.get_python_lib(1,1) ++ print(sysconfig.get_python_lib(1,1)) + elif sys.argv[1] == "lib": +- print sysconfig.get_python_lib(0,1) ++ print(sysconfig.get_python_lib(0,1)) + elif sys.argv[1] == "archsitelib": +- print sysconfig.get_python_lib(1,0) ++ print(sysconfig.get_python_lib(1,0)) + elif sys.argv[1] == "sitelib": +- print sysconfig.get_python_lib(0,0) +- ++ print(sysconfig.get_python_lib(0,0)) +diff --git a/configure.ac b/configure.ac +index 51166c3..4d8c9a0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1142,7 +1142,7 @@ else + if test `$SWIG -help 2>&1 | $EGREP -c '\-python *- Generate'` = 0; then + use_python="No (swig does not support -python option)" + else +- AC_CHECK_PROG(PYTHON,python,python) ++ AC_CHECK_PROGS(PYTHON,[python3 python]) + if test "x$PYTHON" = "x"; then + use_python="No (python not available)" + else +@@ -1167,8 +1167,11 @@ else + if test "x$PYTHON" = "x"; then + use_python="No (python is too old)" + else +- PYTHON_PREFIX=`$PYTHON -c "import sys; print sys.prefix"` ++ PYTHON_PREFIX=`$PYTHON -c "import sys; print(sys.prefix)"` + PYTHON_INCLUDES=-I$PYTHON_PREFIX/include/python$PYTHON_VERSION_SHORT ++ if test $PYTHON_VERSION_MAJOR -gt 2; then ++ PYTHON_INCLUDES="${PYTHON_INCLUDES}m" ++ fi + # PYTHON_LIBS="-lpython$PYTHON_VERSION_SHORT" + PYTHON_LIBS="-undefined dynamic_lookup" + PYTHON_INSTALL_DIR="`$PYTHON $srcdir/config/config_python.py archsitelib`" +@@ -1548,7 +1551,7 @@ else + if test "x$PYTHON34" = "x"; then + use_python34="No (python34 is too old)" + else +- PYTHON34_PREFIX=`$PYTHON3 -c "import sys; print sys.prefix"` ++ PYTHON34_PREFIX=`$PYTHON3 -c "import sys; print(sys.prefix)"` + # PYTHON34_INCLUDES=-I$PYTHON34_PREFIX/include/python$PYTHON34_VERSION_SHORT + # FIXME - whats the stupid "m" for? + PYTHON34_INCLUDES=-I/usr/include/python3.4m diff --git a/graphviz-2.40.1-visio.patch b/graphviz-2.40.1-visio.patch new file mode 100644 index 0000000..051d34c --- /dev/null +++ b/graphviz-2.40.1-visio.patch @@ -0,0 +1,25 @@ +diff --git a/plugin/visio/VisioGraphic.cpp b/plugin/visio/VisioGraphic.cpp +index 303eac0..14e377c 100644 +--- a/plugin/visio/VisioGraphic.cpp ++++ b/plugin/visio/VisioGraphic.cpp +@@ -29,6 +29,8 @@ + #define isfinite(x) finite(x) + #endif + ++#include ++ + #include "VisioGraphic.h" + + #include "gvcjob.h" +diff --git a/plugin/visio/VisioText.cpp b/plugin/visio/VisioText.cpp +index 635806c..3c6441a 100644 +--- a/plugin/visio/VisioText.cpp ++++ b/plugin/visio/VisioText.cpp +@@ -17,6 +17,7 @@ + + #include "gvcjob.h" + #include "gvio.h" ++#include + #include + + extern "C" char *xml_string(char* str); diff --git a/graphviz.spec b/graphviz.spec new file mode 100644 index 0000000..dacecf7 --- /dev/null +++ b/graphviz.spec @@ -0,0 +1,327 @@ +%bcond_with python2 +%bcond_with php + +%if "%{php_version}" < "5.6" +%global ini_name %{name}.ini +%else +%global ini_name 40-%{name}.ini +%endif + + +%global pluginsver 6 + +%global php_extdir %(php-config --extension-dir 2>/dev/null || echo %{_libdir}/php4) + + + +Name: graphviz +Version: 2.40.1 +Release: 38 +Summary: Graph Visualization Tools +License: EPL +URL: http://www.graphviz.org/ +Source0: https://gitlab.com/graphviz/graphviz/-/archive/stable_release_%{version}/graphviz.tar.gz + +Patch0: graphviz-2.40.1-visio.patch + +Patch1: graphviz-2.40.1-python3.patch + +Patch2: graphviz-2.40.1-CVE-2018-10196.patch +Patch3: graphviz-2.40.1-dotty-menu-fix.patch + +Patch6000: CVE-2019-11023.patch +Patch9000: elimination-define-difference.patch + +BuildRequires: ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33 +BuildRequires: zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3 +BuildRequires: python3-devel libXaw-devel libSM-devel libXext-devel java-devel pango-devel gmp-devel lua-devel gtk2-devel cairo-devel >= 1.1.10 +BuildRequires: ghostscript libgs-devel gd-devel perl-devel + +%if %{with python2} +BuildRequires: python2-devel +%endif + +%if %{with php} +BuildRequires: php-devel +%endif + +Requires: urw-base35-fonts xorg-x11-fonts-ISO8859-1-100dpi guile glibc +Requires(post): glibc +Requires(postun): glibc + +Provides: %{name}-gd %{name}-graphs %{name}-guile +Obsoletes: %{name}-gd %{name}-graphs %{name}-guile + + +%description +Graphviz is open source graph visualization software. Graph visualization is a way of representing structural + information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics, + software engineering, database and web design, machine learning, and in visual interfaces for other technical domains. + +%package devel +Summary: Development headers and libraries for interfacing to the graphviz +Requires: %{name} = %{version}-%{release} pkgconfig + +%description devel +Header files for using the graphviz libraries. The +libdhcpctl and libomapi static libraries are also included in this package. + +%package docs +Summary: Documentation files for graphviz + +%description docs +The docs package contains documentation files. + + +%package java +Summary: Java extension for graphviz +Requires: %{name} = %{version}-%{release} + +%description java +Java extension for graphviz. + +%package lua +Summary: Lua extension for graphviz +Requires: %{name} = %{version}-%{release} lua + +%description lua +Lua extension for graphviz. + +%package ocaml +Summary: Ocaml extension for graphviz +Requires: %{name} = %{version}-%{release} ocaml + +%description ocaml +Ocaml extension for graphviz. + + +%package perl +Summary: Perl extension for graphviz +Requires: %{name} = %{version}-%{release} perl + +%description perl +Perl extension for graphviz. + +%package ruby +Summary: Ruby extension for graphviz +Requires: %{name} = %{version}-%{release} ruby + +%description ruby +Ruby extension for graphviz. + +%package tcl +Summary: Tcl extension & tools for graphviz +Requires: %{name} = %{version}-%{release} tcl >= 8.3 tk + +%description tcl +Various tcl packages (extensions) for the graphviz tools. + + +%if %{with php} +%package php +Summary: PHP extension for graphviz +Requires: %{name} = %{version}-%{release} php-common php + +%description php +PHP extension for graphviz. +%endif + + +%if %{with python2} +%package python2 +Summary: Python extension for graphviz +Requires: %{name} = %{version}-%{release} +Provides: python2dist(gv) = %{version} python%{python2_version}dist(gv) = %{version} +Provides: %{name}-python = %{version}-%{release} %{name}-python% = %{version}-%{release} +Obsoletes: %{name}-python < 2.40.1-25 python2-%{name} < 2.40.1-25 + +%description python2 +Python extension for graphviz. +%endif + +%package python3 +Summary: Python 3 extension for graphviz +Requires: %{name} = %{version}-%{release} +Provides: python3dist(gv) = %{version} python%{python3_version}dist(gv) = %{version} + +%description python3 +Python 3 extension for graphviz. + + + +%prep +%autosetup -n graphviz-%{version} -p1 + +find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' + +%build +./autogen.sh +sed -i '/JavaVM.framework/!s/JAVA_INCLUDES=/JAVA_INCLUDES=\"_MY_JAVA_INCLUDES_\"/g' configure +sed -i 's|_MY_JAVA_INCLUDES_|-I%{java_home}/include/ -I%{java_home}/include/linux/|g' configure +sed -i -e 's|expand(|expand(RbConfig::|' -e 's|sitearchdir|vendorarchdir|' config/config_ruby.rb + +export CPPFLAGS=-I`ruby -e "puts File.join(RbConfig::CONFIG['includedir'], RbConfig::CONFIG['sitearch'])" || echo /dev/null` + +%configure --with-x --disable-static --disable-dependency-tracking \ + --without-mylibgd --with-ipsepcola --with-pangocairo \ + --with-gdk-pixbuf --with-visio --disable-silent-rules \ + --without-lasi --without-gts --disable-sharp --without-ming \ + --disable-r --without-devil --without-qt + +%if %{with python2} +cp -a tclpkg/gv tclpkg/gv.python2 +%endif + +%make_build CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \ + CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \ + PYTHON_INCLUDES=-I/usr/include/python%{python3_version}m PYTHON_LIBS="-lpython%{python3_version}m" \ + PYTHON_INSTALL_DIR=%{python3_sitearch} PYTHON=%{__python3} + +%if %{with python2} +cd tclpkg/gv.python2 +%make_build CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \ + CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \ + PYTHON_INCLUDES=-I/usr/include/python%{python2_version} PYTHON_LIBS="-lpython%{python2_version}" \ + PYTHON_INSTALL_DIR=%{python2_sitearch} libgv_python.la +%endif + + + +%install +%make_install docdir=%{buildroot}%{_docdir}/%{name} \ + pkgconfigdir=%{_libdir}/pkgconfig PYTHON_LIBS="-lpython%{python3_version}m" \ + PYTHON_INSTALL_DIR=%{python3_sitearch} install + +%delete_la + +%if %{with php} +%{__mkdir_p} %{buildroot}%{_sysconfdir}/php.d +%{__cat} << __EOF__ > %{buildroot}%{_sysconfdir}/php.d/%{ini_name} +; Enable %{name} extension module +extension=gv.so +__EOF__ +%endif + + +find $RPM_BUILD_ROOT%{_datadir}/%{name}/demo -type f -exec chmod a-x {} ';' + +chmod -x $RPM_BUILD_ROOT%{_datadir}/%{name}/lefty/* + +%if %{with python2} +pushd tclpkg/gv.python2 +install -pD .libs/libgv_python.so $RPM_BUILD_ROOT%{python2_sitearch}/_gv.so +install -p gv.py $RPM_BUILD_ROOT%{python2_sitearch}/gv.py +popd +%endif + +# python 3 +pushd tclpkg/gv +install -pD .libs/libgv_python.so $RPM_BUILD_ROOT%{python3_sitearch}/_gv.so +install -p gv.py $RPM_BUILD_ROOT%{python3_sitearch}/gv.py +popd + +rm -rf $RPM_BUILD_ROOT%{_libdir}/graphviz/python + +touch $RPM_BUILD_ROOT%{_libdir}/graphviz/config%{pluginsver} + +%check +%if %{with php} +LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} \ +php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/ \ + --define extension=libgv_php.so --modules | grep gv +%endif + +%pre + +%preun + + +%post +/sbin/ldconfig +%{_bindir}/dot -c + +%postun -p /sbin/ldconfig + + +%files +%defattr(-,root,root) +%doc README + +%{_bindir}/* +%dir %{_libdir}/graphviz +%{_libdir}/*.so.* +%{_libdir}/graphviz/*.so.* +%{_libdir}/graphviz/guile/ + +%dir %{_datadir}/graphviz +%{_datadir}/graphviz/ +%ghost %{_libdir}/graphviz/config%{pluginsver} + +%exclude %{_bindir}/dot_builtins + +%if %{with php} +%files php +%config(noreplace) %{_sysconfdir}/php.d/%{ini_name} +%{_libdir}/graphviz/php/ +%{php_extdir}/gv.so +%{_datadir}/php*/* +%endif + + +%files devel +%{_includedir}/graphviz +%{_libdir}/*.so +%{_libdir}/graphviz/*.so +%{_libdir}/pkgconfig/*.pc + + +%files docs +%defattr(644,root,root) +%doc %{_datadir}/%{name}/doc +%doc %{_datadir}/%{name}/demo +%doc %{_datadir}/%{name}/doc/pdf +%{_mandir}/man1/* +%{_mandir}/man3/* +%{_mandir}/man7/* + +%files java +%{_libdir}/graphviz/java/ + +%files lua +%{_libdir}/graphviz/lua/ +%{_libdir}/lua*/* + +%files ocaml +%{_libdir}/graphviz/ocaml/ + +%files perl +%{_libdir}/graphviz/perl/ +%{_libdir}/perl*/* + +%if %{with python2} +%files python2 +%{python2_sitearch}/* +%endif + +%files python3 +%{python3_sitearch}/* + +%files ruby +%{_libdir}/graphviz/ruby/ +%{_libdir}/*ruby*/* + +%files tcl +%{_libdir}/graphviz/tcl/ +%{_libdir}/tcl*/* + + + +%changelog +* Tue Dec 31 2019 openEuler Buildteam - 2.40.1-38 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:optimization the spec + +* Thu Sep 19 2019 hufeng - 2.40.1-37 +-Create spec diff --git a/graphviz.tar.gz b/graphviz.tar.gz new file mode 100644 index 0000000..2b75ff6 Binary files /dev/null and b/graphviz.tar.gz differ