From 63202d58783432b6fd5d9d637e239f52f6ab790c Mon Sep 17 00:00:00 2001
From: Denis Silakov <denis.silakov@rosalab.ru>
Date: Sat, 23 Mar 2019 20:35:42 +0300
Subject: [PATCH] Updated to 2.40.1 + fix for CVE-2018-10196

---
 .abf.yml                             |  4 ++-
 graphviz-2.30.1-linkage.patch        | 48 ----------------------------
 graphviz-2.30.1-pkgconfig.patch      | 10 ------
 graphviz-2.38.0-lua-5.3.patch        | 11 -------
 graphviz-2.40.1-CVE-2018-10196.patch | 16 ++++++++++
 graphviz-2.40.1-link.patch           | 33 +++++++++++++++++++
 graphviz.spec                        | 28 +++++++++++-----
 7 files changed, 72 insertions(+), 78 deletions(-)
 delete mode 100644 graphviz-2.30.1-linkage.patch
 delete mode 100644 graphviz-2.30.1-pkgconfig.patch
 delete mode 100644 graphviz-2.38.0-lua-5.3.patch
 create mode 100644 graphviz-2.40.1-CVE-2018-10196.patch
 create mode 100644 graphviz-2.40.1-link.patch

diff --git a/.abf.yml b/.abf.yml
index 1a97c02..4e49d43 100644
--- a/.abf.yml
+++ b/.abf.yml
@@ -1,2 +1,4 @@
-sources:
+removed_sources:
   graphviz-2.38.0.tar.gz: 053c771278909160916ca5464a0a98ebf034c6ef
+sources:
+  graphviz-2.40.1.tar.gz: 8a44d19bcdb50df1bd8e649de472ebf868468888
diff --git a/graphviz-2.30.1-linkage.patch b/graphviz-2.30.1-linkage.patch
deleted file mode 100644
index 7748002..0000000
--- a/graphviz-2.30.1-linkage.patch
+++ /dev/null
@@ -1,48 +0,0 @@
---- cmd/dot/Makefile.in.orig	2013-02-23 11:26:50.729883499 +0000
-+++ cmd/dot/Makefile.in	2013-02-23 11:28:44.263888094 +0000
-@@ -70,8 +70,8 @@
- @WITH_LIBGD_TRUE@am__append_5 = $(top_builddir)/plugin/gd/libgvplugin_gd.la $(GD_LIBS)
- @WITH_PANGOCAIRO_TRUE@@WITH_WEBP_TRUE@am__append_6 = $(top_builddir)/plugin/webp/.libs/libgvplugin_webp_C.a $(WEBP_LIBS)
- @WITH_PANGOCAIRO_TRUE@@WITH_WEBP_TRUE@am__append_7 = $(top_builddir)/plugin/webp/libgvplugin_webp.la $(WEBP_LIBS)
--@WITH_PANGOCAIRO_TRUE@am__append_8 = $(top_builddir)/plugin/pango/.libs/libgvplugin_pango_C.a $(PANGOCAIRO_LIBS)
--@WITH_PANGOCAIRO_TRUE@am__append_9 = $(top_builddir)/plugin/pango/libgvplugin_pango.la $(PANGOCAIRO_LIBS)
-+@WITH_PANGOCAIRO_TRUE@am__append_8 = $(top_builddir)/plugin/pango/.libs/libgvplugin_pango_C.a $(PANGOCAIRO_LIBS) $(PANGOFT2_LIBS)
-+@WITH_PANGOCAIRO_TRUE@am__append_9 = $(top_builddir)/plugin/pango/libgvplugin_pango.la $(PANGOCAIRO_LIBS) $(PANGOFT2_LIBS)
- @WITH_PANGOCAIRO_TRUE@@WITH_WEBP_TRUE@am__append_10 = $(top_builddir)/plugin/webp/.libs/libgvplugin_webp_C.a $(WEBP_LIBS)
- @WITH_PANGOCAIRO_TRUE@@WITH_WEBP_TRUE@am__append_11 = $(top_builddir)/plugin/webp/libgvplugin_webp.la $(WEBP_LIBS)
- @WITH_LASI_TRUE@am__append_12 = $(top_builddir)/plugin/lasi/.libs/libgvplugin_lasi_C.a \
---- cmd/dot/Makefile.am.orig	2013-02-23 11:26:45.574883291 +0000
-+++ cmd/dot/Makefile.am	2013-02-23 11:27:51.231885948 +0000
-@@ -117,8 +117,8 @@
- dot_static_LDADD += $(top_builddir)/plugin/webp/.libs/libgvplugin_webp_C.a $(WEBP_LIBS)
- dot_builtins_LDADD += $(top_builddir)/plugin/webp/libgvplugin_webp.la $(WEBP_LIBS)
- endif
--dot_static_LDADD += $(top_builddir)/plugin/pango/.libs/libgvplugin_pango_C.a $(PANGOCAIRO_LIBS)
--dot_builtins_LDADD += $(top_builddir)/plugin/pango/libgvplugin_pango.la $(PANGOCAIRO_LIBS)
-+dot_static_LDADD += $(top_builddir)/plugin/pango/.libs/libgvplugin_pango_C.a $(PANGOCAIRO_LIBS) $(PANGOFT2_LIBS)
-+dot_builtins_LDADD += $(top_builddir)/plugin/pango/libgvplugin_pango.la $(PANGOCAIRO_LIBS) $(PANGOFT2_LIBS)
- if WITH_WEBP
- dot_static_LDADD += $(top_builddir)/plugin/webp/.libs/libgvplugin_webp_C.a $(WEBP_LIBS)
- dot_builtins_LDADD += $(top_builddir)/plugin/webp/libgvplugin_webp.la $(WEBP_LIBS)
---- plugin/gtk/Makefile.am.orig	2013-02-23 11:25:20.238879837 +0000
-+++ plugin/gtk/Makefile.am	2013-02-23 11:25:40.256880647 +0000
-@@ -37,7 +37,7 @@
- 
- libgvplugin_gtk_la_LDFLAGS = -version-info @GVPLUGIN_VERSION_INFO@
- libgvplugin_gtk_la_SOURCES = $(libgvplugin_gtk_C_la_SOURCES)
--libgvplugin_gtk_la_LIBADD = $(GTK_LIBS)
-+libgvplugin_gtk_la_LIBADD = $(GTK_LIBS) -lX11
- 
- if WITH_WIN32
- libgvplugin_gtk_la_LDFLAGS += -no-undefined
---- plugin/gtk/Makefile.in.orig	2013-02-23 11:25:47.896880957 +0000
-+++ plugin/gtk/Makefile.in	2013-02-23 11:26:20.128882261 +0000
-@@ -535,7 +535,7 @@
- libgvplugin_gtk_la_LDFLAGS = -version-info @GVPLUGIN_VERSION_INFO@ \
- 	$(am__append_1) $(am__append_2)
- libgvplugin_gtk_la_SOURCES = $(libgvplugin_gtk_C_la_SOURCES)
--libgvplugin_gtk_la_LIBADD = $(GTK_LIBS)
-+libgvplugin_gtk_la_LIBADD = $(GTK_LIBS) -lX11
- EXTRA_DIST = gtk.glade gtk.gladep 
- all: all-am
- 
diff --git a/graphviz-2.30.1-pkgconfig.patch b/graphviz-2.30.1-pkgconfig.patch
deleted file mode 100644
index 73812b6..0000000
--- a/graphviz-2.30.1-pkgconfig.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- lib/gvc/libgvc.pc.in.orig	2013-02-23 20:09:24.352375169 +0000
-+++ lib/gvc/libgvc.pc.in	2013-02-23 20:09:33.643375545 +0000
-@@ -7,6 +7,6 @@
- Name: libgvc
- Description: The GraphVizContext library 
- Version: @VERSION@
--Libs: -L${libdir} -lgvc -lgraph -lcdt
-+Libs: -L${libdir} -lgvc -lcgraph -lcdt
- Cflags: -I${includedir}
- 
diff --git a/graphviz-2.38.0-lua-5.3.patch b/graphviz-2.38.0-lua-5.3.patch
deleted file mode 100644
index a17f9c1..0000000
--- a/graphviz-2.38.0-lua-5.3.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- graphviz-2.38.0/configure.ac.orig	2016-05-15 19:27:52.204176821 +0200
-+++ graphviz-2.38.0/configure.ac	2016-05-15 19:28:14.198171673 +0200
-@@ -928,7 +928,7 @@
-             if test "x$ac_found_lua_header" = "xyes" -a "x$ac_found_liblua_header" = "xyes"; then
-                 LUA_INCLUDES="$CFLAGS"
-             fi
--            for l in "$lua_suffix" "" "52" "5.2" "51" "5.1" "50" "5.0" ; do
-+            for l in "$lua_suffix" "" "53" "5.3" "52" "5.2" "51" "5.1" "50" "5.0" ; do
-                 AC_CHECK_LIB(lua$l,lua_call,ac_found_lua_lib="yes",ac_found_lua_lib="no")
-                 if test "x$ac_found_lua_lib" = "xyes" ; then
- 	            LUA_VERSION=">=5.1.0"
diff --git a/graphviz-2.40.1-CVE-2018-10196.patch b/graphviz-2.40.1-CVE-2018-10196.patch
new file mode 100644
index 0000000..7b7587b
--- /dev/null
+++ b/graphviz-2.40.1-CVE-2018-10196.patch
@@ -0,0 +1,16 @@
+diff --git a/lib/dotgen/conc.c b/lib/dotgen/conc.c
+--- a/lib/dotgen/conc.c
++++ b/lib/dotgen/conc.c
+@@ -159,7 +159,11 @@ static void rebuild_vlists(graph_t * g)
+ 
+     for (r = GD_minrank(g); r <= GD_maxrank(g); r++) {
+ 	lead = GD_rankleader(g)[r];
+-	if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
++	if (lead == NULL) {
++		agerr(AGERR, "rebuiltd_vlists: lead is null for rank %d\n", r);
++		longjmp(jbuf, 1);
++	}
++	else if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
+ 	    agerr(AGERR, "rebuiltd_vlists: rank lead %s not in order %d of rank %d\n", 
+ 		agnameof(lead), ND_order(lead), r);
+ 	    longjmp(jbuf, 1);
diff --git a/graphviz-2.40.1-link.patch b/graphviz-2.40.1-link.patch
new file mode 100644
index 0000000..7c29a50
--- /dev/null
+++ b/graphviz-2.40.1-link.patch
@@ -0,0 +1,33 @@
+--- a/plugin/gtk/Makefile.am~	2013-02-14 21:27:39.000000000 +0800
++++ b/plugin/gtk/Makefile.am	2013-05-27 11:22:45.127287033 +0800
+@@ -37,7 +37,7 @@
+ 
+ libgvplugin_gtk_la_LDFLAGS = -version-info @GVPLUGIN_VERSION_INFO@
+ libgvplugin_gtk_la_SOURCES = $(libgvplugin_gtk_C_la_SOURCES)
+-libgvplugin_gtk_la_LIBADD = $(GTK_LIBS)
++libgvplugin_gtk_la_LIBADD = $(GTK_LIBS) -lX11
+ 
+ if WITH_WIN32
+ libgvplugin_gtk_la_LDFLAGS += -no-undefined
+--- ./configure.ac.orig	2017-10-08 11:55:15.622878825 +0300
++++ ./configure.ac	2017-10-08 11:56:08.642875683 +0300
+@@ -2775,7 +2775,7 @@ if test "x$use_gd" = "x"; then
+           AC_MSG_WARN(Optional GD library not available)
+           use_gd="No (library not found)"
+ 	  with_libgd="no"
+-        ], $GD_LIBS)
++        ], $GDLIB_LIBS)
+       fi
+       LDFLAGS=$save_LDFLAGS
+       CPPFLAGS=$save_CPPFLAGS
+--- ./tclpkg/tcldot/Makefile.am.orig	2017-10-08 11:55:28.973374397 +0300
++++ ./tclpkg/tcldot/Makefile.am	2017-10-08 11:55:43.072841696 +0300
+@@ -97,7 +97,7 @@ endif
+ 
+ if WITH_LIBGD
+ libtcldot_builtin_la_LIBADD += $(top_builddir)/plugin/gd/libgvplugin_gd_C.la
+-libtcldot_builtin_la_LIBADD += $(GD_LIBS)
++libtcldot_builtin_la_LIBADD += $(GDLIB_LIBS)
+ endif
+ 
+ libtcldot_builtin_la_LIBADD += $(EXPAT_LIBS) $(LIBGEN_LIBS) $(SOCKET_LIBS) $(IPSEPCOLA_LIBS) $(MATH_LIBS)
diff --git a/graphviz.spec b/graphviz.spec
index ec15d4e..7248d51 100644
--- a/graphviz.spec
+++ b/graphviz.spec
@@ -10,6 +10,7 @@
 
 %define cdt_major 5
 %define cgraph_major 6
+%define gamut_major 1
 %define gvc_major 6
 %define gvpr_major 2
 %define pathplan_major 4
@@ -17,6 +18,7 @@
 
 %define lib_cdt %mklibname cdt %{cdt_major}
 %define lib_cgraph %mklibname cgraph %{cgraph_major}
+%define lib_gamut %mklibname lab_gamut %{gamut_major}
 %define lib_gvc %mklibname gvc %{gvc_major}
 %define lib_gvpr %mklibname gvpr %{gvpr_major}
 %define lib_pathplan %mklibname pathplan %{pathplan_major}
@@ -30,15 +32,14 @@
 
 Summary:	Graph visualization tools
 Name:		graphviz
-Version:	2.38.0
-Release:	9
+Version:	2.40.1
+Release:	1
 License:	Common Public License
 Group:		Graphics
 Url:		http://www.graphviz.org
 Source0:	http://www.graphviz.org/pub/graphviz/ARCHIVE/%{name}-%{version}.tar.gz
-Patch0:		graphviz-2.30.1-linkage.patch
-Patch1:		graphviz-2.30.1-pkgconfig.patch
-Patch2:		graphviz-2.38.0-lua-5.3.patch
+Patch0:         graphviz-2.40.1-link.patch
+Patch1:         graphviz-2.40.1-CVE-2018-10196.patch
 BuildRequires:	bison
 BuildRequires:	flex
 BuildRequires:	libtool
@@ -125,6 +126,18 @@ This package provides the cgraph shared library for %{name}.
 
 #-------------------------------------------------------------------------
 
+%package -n     %{lib_gamut}
+Group:          System/Libraries
+Summary:        Shared library for %{name}
+
+%description -n %{lib_gamut}
+This package provides the lib_gamut shared library for %{name}.
+
+%files -n %{lib_gamut}
+%{_libdir}/liblab_gamut.so.%{gamut_major}*
+
+#-------------------------------------------------------------------------
+
 %package -n %{lib_gvc}
 Summary:	Shared library for %{name}
 Group:		System/Libraries
@@ -364,9 +377,8 @@ Static development package for %{name}.
 
 %prep
 %setup -q
-%patch0 -p0 -b .link~
-%patch2 -p1 -b .lua~
-sed -i s,"ruby-1.9","ruby-2.1",g configure.ac
+%patch0 -p1 -b .link~
+%patch1 -p1 -b .cve~
 
 %build
 autoreconf -fi