diff --git a/backport-CVE-2020-18032.patch b/backport-CVE-2020-18032.patch deleted file mode 100644 index b3b0ab98892d49bb9a531f8e17285e4eff31a652..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-18032.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001 -From: Matthew Fernandez -Date: Sat, 25 Jul 2020 19:31:01 -0700 -Subject: [PATCH] fix: out-of-bounds write on invalid label - -When the label for a node cannot be parsed (due to it being malformed), it falls -back on the symbol name of the node itself. I.e. the default label the node -would have had if it had no label attribute at all. However, this is applied by -dynamically altering the node's label to "\N", a shortcut for the symbol name of -the node. All of this is fine, however if the hand written label itself is -shorter than the literal string "\N", not enough memory would have been -allocated to write "\N" into the label text. - -Here we account for the possibility of error during label parsing, and assume -that the label text may need to be overwritten with "\N" after the fact. Fixes -issue #1700. ---- - lib/common/shapes.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/common/shapes.c b/lib/common/shapes.c -index 0a0635fc3..9dca9ba6e 100644 ---- a/lib/common/shapes.c -+++ b/lib/common/shapes.c -@@ -3546,9 +3546,10 @@ static void record_init(node_t * n) - reclblp = ND_label(n)->text; - len = strlen(reclblp); - /* For some forgotten reason, an empty label is parsed into a space, so -- * we need at least two bytes in textbuf. -+ * we need at least two bytes in textbuf, as well as accounting for the -+ * error path involving "\\N" below. - */ -- len = MAX(len, 1); -+ len = MAX(MAX(len, 1), (int)strlen("\\N")); - textbuf = N_NEW(len + 1, char); - if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) { - agerr(AGERR, "bad label format %s\n", ND_label(n)->text); --- -GitLab - diff --git a/backport-graphviz-2.48.0-gvpack-neato-static.patch b/backport-graphviz-2.48.0-gvpack-neato-static.patch new file mode 100644 index 0000000000000000000000000000000000000000..857a7334987601bc031607fa04f3653385f41d9b --- /dev/null +++ b/backport-graphviz-2.48.0-gvpack-neato-static.patch @@ -0,0 +1,15 @@ +diff --git a/cmd/tools/Makefile.am b/cmd/tools/Makefile.am +index 4978fea..9fbe2e2 100644 +--- a/cmd/tools/Makefile.am ++++ b/cmd/tools/Makefile.am +@@ -249,7 +249,9 @@ gvpack_LDADD = \ + $(top_builddir)/lib/ingraphs/libingraphs_C.la \ + $(top_builddir)/lib/cgraph/libcgraph.la \ + $(top_builddir)/lib/cdt/libcdt.la \ +- $(top_builddir)/plugin/neato_layout/libgvplugin_neato_layout.la ++ $(top_builddir)/plugin/neato_layout/libgvplugin_neato_layout_C.la \ ++ $(top_builddir)/lib/pathplan/libpathplan_C.la \ ++ $(EXPAT_LIBS) $(Z_LIBS) $(GTS_LIBS) $(SOCKET_LIBS) $(IPSEPCOLA_LIBS) $(MATH_LIBS) + + # add a non-existent C++ source to force the C++ compiler to be used for + # linking, so the C++ standard library is included for our C++ dependencies diff --git a/graphviz-2.44.1.tar.gz b/graphviz-2.48.0.tar.gz similarity index 70% rename from graphviz-2.44.1.tar.gz rename to graphviz-2.48.0.tar.gz index 0b04ce6d8871fc39d74c423c9e317be9de1cfd63..24605e100fbcadb9da7c2fe538aedeae035441a4 100644 Binary files a/graphviz-2.44.1.tar.gz and b/graphviz-2.48.0.tar.gz differ diff --git a/graphviz.spec b/graphviz.spec index 163339eaa306e4c34018ed33a137af431b2f46b1..a17a75004094fe014e3cb7f1c1dc7eecb551963f 100644 --- a/graphviz.spec +++ b/graphviz.spec @@ -6,28 +6,26 @@ %global ini_name 40-%{name}.ini %endif - %global pluginsver 6 - %global php_extdir %(php-config --extension-dir 2>/dev/null || echo %{_libdir}/php4) Name: graphviz -Version: 2.44.1 -Release: 4 +Version: 2.48.0 +Release: 1 Summary: Graph Visualization Tools -License: EPL +License: EPL-1.0 URL: http://www.graphviz.org/ Source0: https://gitlab.com/graphviz/graphviz/-/archive/%{version}/graphviz-%{version}.tar.gz -Patch6000: backport-CVE-2020-18032.patch +Patch6000: backport-graphviz-2.48.0-gvpack-neato-static.patch BuildRequires: gcc-g++ BuildRequires: ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33 BuildRequires: zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3 BuildRequires: python3-devel libXaw-devel libSM-devel libXext-devel java-devel pango-devel gmp-devel lua-devel gtk2-devel cairo-devel >= 1.1.10 -BuildRequires: ghostscript libgs-devel gd-devel perl-devel +BuildRequires: ghostscript libgs-devel gd-devel perl-devel chrpath %if %{with php} BuildRequires: php-devel @@ -36,10 +34,8 @@ BuildRequires: php-devel Requires: urw-base35-fonts xorg-x11-fonts-ISO8859-1-100dpi guile glibc Requires(post): glibc Requires(postun): glibc - -Provides: %{name}-gd %{name}-graphs %{name}-guile -Obsoletes: %{name}-gd %{name}-graphs %{name}-guile - +Provides: %{name}-guile +Obsoletes: %{name}-guile %description Graphviz is open source graph visualization software. Graph visualization is a way of representing structural @@ -60,6 +56,29 @@ Summary: Documentation files for graphviz %description docs The docs package contains documentation files. +%package gd +Summary: Graphviz plugin for renderers based on gd +Requires: %{name} = %{version}-%{release} +Requires(post): %{_bindir}/dot /sbin/ldconfig +Requires(postun): %{_bindir}/dot /sbin/ldconfig + +%description gd +Graphviz plugin for renderers based on gd. (Unless you absolutely have to use +GIF, you are recommended to use the PNG format instead because of the better +quality anti-aliased lines provided by the cairo+pango based renderer.) + +%package graphs +Summary: Demo graphs for graphviz + +%description graphs +Some demo graphs for graphviz. + +%package guile +Summary: Guile extension for graphviz +Requires: %{name} = %{version}-%{release} guile + +%description guile +Guile extension for graphviz. %package java Summary: Java extension for graphviz @@ -82,7 +101,6 @@ Requires: %{name} = %{version}-%{release} ocaml %description ocaml Ocaml extension for graphviz. - %package perl Summary: Perl extension for graphviz Requires: %{name} = %{version}-%{release} perl @@ -93,14 +111,11 @@ Perl extension for graphviz. %package ruby Summary: Ruby extension for graphviz Requires: %{name} = %{version}-%{release} ruby - %description ruby Ruby extension for graphviz. - %package tcl Summary: Tcl extension & tools for graphviz Requires: %{name} = %{version}-%{release} tcl >= 8.3 tk - %description tcl Various tcl packages (extensions) for the graphviz tools. @@ -117,13 +132,11 @@ PHP extension for graphviz. %package python3 Summary: Python 3 extension for graphviz Requires: %{name} = %{version}-%{release} -Provides: python3dist(gv) = %{version} python%{python3_version}dist(gv) = %{version} +Provides: python3dist(gv) = %{version} %{python3_version}dist(gv) = %{version} %description python3 Python 3 extension for graphviz. - - %prep %autosetup -n graphviz-%{version} -p1 @@ -142,14 +155,18 @@ export CPPFLAGS=-I`ruby -e "puts File.join(RbConfig::CONFIG['includedir'], RbCon --with-gdk-pixbuf --with-visio --disable-silent-rules \ --without-lasi --without-gts --disable-sharp --without-ming \ --disable-r --without-devil --without-qt + +# drop rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \ CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fno-strict-overflow %{?FFSTORE}" \ PYTHON_INCLUDES=`python3-config --includes` PYTHON_LIBS=`python3-config --libs` \ PYTHON_INSTALL_DIR=%{python3_sitearch} PYTHON=%{__python3} - %install +rm -rf %{buildroot} make DESTDIR=%{buildroot} \ docdir=%{buildroot}%{_docdir}/%{name} \ pkgconfigdir=%{_libdir}/pkgconfig \ @@ -167,7 +184,6 @@ extension=gv.so __EOF__ %endif - find $RPM_BUILD_ROOT%{_datadir}/%{name}/demo -type f -exec chmod a-x {} ';' chmod -x $RPM_BUILD_ROOT%{_datadir}/%{name}/lefty/* @@ -180,6 +196,9 @@ popd rm -rf $RPM_BUILD_ROOT%{_libdir}/graphviz/python +chrpath -d $RPM_BUILD_ROOT%{_bindir}/gvpack +mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d +echo "%{_libdir}/graphviz" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf touch $RPM_BUILD_ROOT%{_libdir}/graphviz/config%{pluginsver} %check @@ -193,46 +212,42 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/ %preun - %post /sbin/ldconfig %{_bindir}/dot -c %postun -p /sbin/ldconfig - %files %defattr(-,root,root) %doc README - %{_bindir}/* %dir %{_libdir}/graphviz %{_libdir}/*.so.* %{_libdir}/graphviz/*.so.* %{_libdir}/graphviz/guile/ - %dir %{_datadir}/graphviz %{_datadir}/graphviz/ %ghost %{_libdir}/graphviz/config%{pluginsver} - %exclude %{_bindir}/dot_builtins +%config(noreplace) /etc/ld.so.conf.d/* %if %{with php} %files php -%config(noreplace) %{_sysconfdir}/php.d/%{ini_name} +%config(noreplace) +%{_sysconfdir}/php.d/%{ini_name} %{_libdir}/graphviz/php/ %{php_extdir}/gv.so %{_datadir}/php*/* %endif - +%exclude %{_libdir}/graphviz/*/* +%exclude %{_libdir}/graphviz/libgvplugin_gd.* %files devel %{_includedir}/graphviz %{_libdir}/*.so %{_libdir}/graphviz/*.so %{_libdir}/pkgconfig/*.pc - - %files docs %defattr(644,root,root) %doc %{_datadir}/%{name}/doc @@ -240,6 +255,15 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/ %{_mandir}/man1/* %{_mandir}/man3/* %{_mandir}/man7/* +%files gd +%{_libdir}/graphviz/libgvplugin_gd.so.* + +%files graphs +%dir %{_datadir}/graphviz +%{_datadir}/graphviz/graphs + +%files guile +%{_libdir}/graphviz/guile/ %files java %{_libdir}/graphviz/java/ @@ -267,9 +291,10 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/ %{_libdir}/graphviz/tcl/ %{_libdir}/tcl*/* - - %changelog +* Wed Dec 15 2021 wuchaochao - 2.48.0-1 +- update version to 2.48.0 + * Wed May 26 2021 liuyumeng -2.44.1-4 - Add a BuildRequires for gcc-g++