[AUTO-CHERRYPICK] graphviz: address CVE-2023-46045 & CVE-2020-18032 - branch main (#9129)

CBL-Mariner-Bot · mfrw · web-flow · commit ac45317296f2 · 2024-05-28T15:01:40.000-07:00
Co-authored-by: Muhammad Falak R Wani &lt;falakreyaz@gmail.com&gt;
diff --git a/SPECS/graphviz/CVE-2023-46045.patch b/SPECS/graphviz/CVE-2023-46045.patch
@@ -0,0 +1,34 @@
+From 197f3149a5753d6bc994a21b98a70c7f76f548b5 Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <falakreyaz@gmail.com>
+Date: Tue, 14 May 2024 10:47:34 +0530
+Subject: [PATCH] gvc: detect plugin installation failure and display an error
+
+Gitlab: fixes #2441
+Reported-by: GJDuck
+
+Backported to v2.42.4 by @mfrw
+
+Signed-off-by: Matthew Fernandez <matthew.fernandez@gmail.com>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ lib/gvc/gvconfig.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index 59c4614..35c1b60 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -186,6 +186,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ 	do {
+ 	    api = token(&nest, &s);
+ 	    gv_api = gvplugin_api(api);
++	    if (gv_api == (api_t)-1) {
++		agerr(AGERR, "config error: %s %s not found\n", path, api);
++		return 0;
++	    }
+ 	    do {
+ 		if (nest == 2) {
+ 		    type = token(&nest, &s);
+-- 
+2.40.1
+
diff --git a/SPECS/graphviz/graphviz.spec b/SPECS/graphviz/graphviz.spec
@@ -45,7 +45,7 @@
 Summary:        Graph Visualization Tools
 Name:           graphviz
 Version:        2.42.4
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        EPL-1.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -55,6 +55,7 @@ Source0:        https://gitlab.com/%{name}/%{name}/-/archive/%{version}/%{name}-
 Patch0:         graphviz-2.42.2-dotty-menu-fix.patch
 Patch1:         graphviz-2.42.2-coverity-scan-fixes.patch
 Patch2:         CVE-2020-18032.patch
+Patch3:         CVE-2023-46045.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -250,9 +251,7 @@ Requires:       tcl >= 8.3
 Various tcl packages (extensions) for the graphviz tools.
 
 %prep
-%setup -q
-%patch0 -p1 -b .dotty-menu-fix
-%patch1 -p1 -b .coverity-scan-fixes
+%autosetup -p1
 
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -518,6 +517,10 @@ php --no-php-ini \
 %{_mandir}/man3/*.3tcl*
 
 %changelog
+* Tue May 14 2024 Muhammad Falak <mwani@microsoft.com> - 2.42.4-10
+- Switch to autosetup to actually address CVE-2020-18032
+- Address CVE-2023-46045
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 2.42.4-9
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
diff --git a/SPECS/python-sphinx/python-sphinx.spec b/SPECS/python-sphinx/python-sphinx.spec
@@ -11,7 +11,7 @@
 Summary:        Python documentation generator
 Name:           python-sphinx
 Version:        4.4.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 # Unless otherwise noted, the license for code is BSD
 # sphinx/util/inspect.py has bits licensed with PSF license v2 (Python)
 # sphinx/themes/haiku/static/haiku.css_t has bits licensed with MIT
@@ -37,10 +37,27 @@ BuildRequires:  gettext
 BuildRequires:  graphviz
 BuildRequires:  python3-atomicwrites
 BuildRequires:  python3-attrs
+BuildRequires:  python3-babel
 BuildRequires:  python3-docutils
+BuildRequires:  python3-html5lib
+BuildRequires:  python3-imagesize
+BuildRequires:  python3-importlib-metadata
+BuildRequires:  python3-jinja2
+BuildRequires:  python3-more-itertools
+BuildRequires:  python3-packaging
 BuildRequires:  python3-pluggy
+BuildRequires:  python3-pygments
 BuildRequires:  python3-pytest
+BuildRequires:  python3-requests
 BuildRequires:  python3-six
+BuildRequires:  python3-snowballstemmer
+BuildRequires:  python3-sphinx-theme-alabaster
+BuildRequires:  python3-sphinxcontrib-applehelp
+BuildRequires:  python3-sphinxcontrib-devhelp
+BuildRequires:  python3-sphinxcontrib-htmlhelp
+BuildRequires:  python3-sphinxcontrib-jsmath
+BuildRequires:  python3-sphinxcontrib-qthelp
+BuildRequires:  python3-sphinxcontrib-serializinghtml
 BuildRequires:  python3-test
 BuildRequires:  texinfo
 
@@ -237,7 +254,7 @@ mkdir %{buildroot}%{python3_sitelib}/sphinxcontrib
   >> sphinx.lang
 
 %check
-pip3 install more-itertools
+pip3 install webencodings
 %pytest
 
 %files -n python%{python3_pkgversion}-sphinx -f sphinx.lang
@@ -252,6 +269,9 @@ pip3 install more-itertools
 %dir %{_datadir}/sphinx/locale/*
 
 %changelog
+* Tue May 14 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.4.0-3
+- Added test-time dependencies to unblock tests.
+
 * Fri Mar 25 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.4.0-2
 - Initial CBL-Mariner import from Fedora 36 (license: MIT).
 - Removing epoch.
