Fix CVE-2023-46045

2024-02-02 14:27:13 +08:00 · 2024-02-02 14:27:13 +08:00 · 78d7271fa0
commit 78d7271fa0
parent 22783a7953
2 changed files with 57 additions and 2 deletions
--- a/CVE-2023-46045.patch
+++ b/CVE-2023-46045.patch
@ -0,0 +1,50 @@
+From 4becebe422e167358f4e57679d845932cc9f3a8a Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Fri, 2 Feb 2024 10:24:35 +0800
+Subject: [PATCH 1/1] Merge branch 'smattr/gitlab-2441' into 'main'
+
+gvc: detect plugin installation failure and display an error
+
+Closes #2441
+
+Origin:
+https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb
+https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a
+https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e
+---
+ lib/gvc/gvconfig.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index 06c3326..9d3f6fc 100644
+--- a/lib/gvc/gvconfig.c
+++ b/lib/gvc/gvconfig.c
+@@ -165,9 +165,8 @@ static char *token(int *nest, char **tokens)
+ 
+ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+-    char *path, *name, *api;
+    char *path, *name;
+     const char *type;
+-    api_t gv_api;
+     int quality, rc;
+     int nest = 0;
+     gvplugin_package_t *package;
+@@ -181,8 +180,12 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ 	    name = "x";
+         package = gvplugin_package_record(gvc, path, name);
+ 	do {
+-	    api = token(&nest, &s);
+-	    gv_api = gvplugin_api(api);
+	    const char *api = token(&nest, &s);
+	    const api_t gv_api = gvplugin_api(api);
+	    if (gv_api == (api_t)-1) {
+		agerr(AGERR, "config error: %s %s not found\n", path, api);
+		return 0;
+	    }
+ 	    do {
+ 		if (nest == 2) {
+ 		    type = token(&nest, &s);
+-- 
+2.33.0
+
--- a/graphviz.spec
+++ b/graphviz.spec
@ -16,14 +16,16 @@

 Name:               graphviz
 Version:            2.44.0
-Release:            4
+Release:            5
 Summary:            Graph Visualization Tools
-License:            EPL
+License:            EPL-1.0
 URL:                http://www.graphviz.org/
 Source0:            https://gitlab.com/graphviz/graphviz/-/archive/%{version}/graphviz-%{version}.tar.gz

 Patch1:             graphviz-2.40.1-dotty-menu-fix.patch
 Patch6000:	    backport-CVE-2020-18032.patch
+# https://gitlab.com/graphviz/graphviz/-/commit/5d09f70d7f6b81eb891749895c2e6b81365ac234
+Patch6001:          CVE-2023-46045.patch

 BuildRequires:      ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33
 BuildRequires:      zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3
@ -317,6 +319,9 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/


 %changelog
+* Fri Feb 02 2024 yaoxin <yao_xin001@hoperun.com> - 2.44.0-5
+- Fix CVE-2023-46045
+
 * Wed Nov 08 2023 Ge Wang <wang__ge@126.com> - 2.44.0-4
 - Type:bugfix
  ID:NA