Bug 23537

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Updated 3.2.7a package submitted to cauldron.

Thanks Shlomi!

Patched package also uploaded for Mageia 6.

Advisory:
========================

Updated transfig package fixes security vulnerability:

It was discovered that transfig incorrectly handled certain FIG files. An
attacker could possibly use this to execute arbitrary code (CVE-2018-16140).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16140
https://usn.ubuntu.com/3760-1/
========================

Updated packages in core/updates_testing:
========================
transfig-3.2.5d-9.2.mga6

from transfig-3.2.5d-9.2.mga6.src.rpm

CC: (none) => shlomif
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: shlomif => qa-bugs

Mageia 6, x86_64

CVE-2018-16140
POC file at https://github.com/SegfaultMasters/covering360/blob/master/fig2dev/Buffer_underflow_POC

$ fig2dev -L eepic Buffer_underflow_POC
Invalid color definition: , setting to black (#00000).
Invalid color definition: 0, setting to black (#00000).
Invalid color definition: 	0, setting to black (#00000).
Cannot locate user color 100, using default color for line 13.
Incorrect format at line 14

Updated the package.
$ rpm -qa | grep transfig
transfig-3.2.5d-9.2.mga6

$ fig2dev -L eepic Buffer_underflow_POC
Incomplete resolution information at line 8

The update made a difference.

Found a .pic file at /usr/share/groff/1.22.3/pic/chem.pic and generated a makefile.
$ transfig -L gif -M Makefile chem.pic
$ cat Makefile
#
# TransFig makefile
#

all: chem.gif 

# translation into gif

chem.gif: chem.fig Makefile
	fig2dev -L gif chem.fig chem.gif
clean::
	rm -f chem.gif

chem.fig: chem.pic Makefile
	pic2fig chem.pic > chem.fig
clean::
	rm -f chem.fig

$ make all
pic2fig chem.pic > chem.fig
/bin/sh: pic2fig: command not found
Makefile:15: recipe for target 'chem.fig' failed
make: *** [chem.fig] Error 127

It looks like pic2fig is not part of transfig - maybe in LaTeX somewhere?
However the Makefile is valid.

Found a fig file somewhere and converted that to a PNG.
$ fig2dev -L png shape.fig shape.png
$ file shape.png
shape.png: PNG image data, 640 x 293, 8-bit/color RGB, non-interlaced
This displayed as a line drawing with labels.

$ fig2dev -L eps shape.fig shape.ps
$ gs shape.ps
This showed an embedded postscript document containing the original drawing.
The same file could also be converted to a valid PDF file
$ fig2dev -L pdf shape.fig shape.pdf
or a GIF
$ fig2dev -L gif shape.fig shape.gif
or a LaTeX document
$ fig2dev -L latex shape.fig shape.tex
Dash too small; using larger dash
Dash too small; using larger dash

$ cat shape.tex
\setlength{\unitlength}{3947sp}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined%
\gdef\SetFigFont#1#2#3#4#5{%
  \reset@font\fontsize{#1}{#2pt}%
  \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
  \selectfont}%
\fi\endgroup%
\begin{picture}(7305,4401)(2911,-4603)
\thicklines
[...]
\put(8176,-361){\makebox(0,0)[b]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Fade length}%
}}}}
\put(2926,-2536){\makebox(0,0)[rb]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Attack level}%
}}}}
\end{picture}%

This all looks satisfactory and the CVE has been taken care of.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Rider to comment4.  You can create your own .fig files with the drawing tool xfig and presumably modify existing ones.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0064.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED