| Summary: | transfig new security issues CVE-2019-14275, CVE-2019-19555, CVE-2019-19746, CVE-2019-19797 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, nicolas.salguero, shlomif, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | transfig-3.2.7a-3.mga7.src.rpm | CVE: | CVE-2019-14275, CVE-2019-19555, CVE-2019-19746, CVE-2019-19797 |
| Status comment: | |||
|
Description
David Walser
2020-01-29 20:20:05 CET
David Walser
2020-01-29 20:20:12 CET
Whiteboard:
(none) =>
MGA7TOO Assigning to Shlomi, the active maintainer. Assignee:
bugsquad =>
shlomif Fedora has issued an advisory on January 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7DHT2H26YTJQC3SPYPFUPZZJG26MWGTL/ It fixes two other issues. They also updated xfig along with it: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ILJM2G6NM5MMBKTT5CH23TAI6DJGNW36/ Summary:
transfig new security issues CVE-2019-14275 and CVE-2019-19555 =>
transfig new security issues CVE-2019-14275, CVE-2019-19555, CVE-2019-19746, CVE-2019-19797
David Walser
2020-01-29 20:51:17 CET
Assignee:
bugsquad =>
pkg-bugs 3.2.7b contains the fixes for the first two issues, which were fixed in these commits: https://sourceforge.net/p/mcj/fig2dev/ci/03ea4578258d2d9ca1ceb080e469ad261db39ef0/ https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/ David Geiger patched the second two issues in transfig-3.2.7b-2.mga8. Version:
Cauldron =>
7
David Walser
2020-01-30 14:16:22 CET
CC:
(none) =>
geiger.david68210
David Walser
2020-02-21 17:47:52 CET
Status comment:
(none) =>
Patches available from upstream and Fedora Suggested advisory: ======================== The updated package fixes security vulnerabilities: Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arrow function in bound.c. (CVE-2019-14275) read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buffer overflow because of an incorrect sscanf. (CVE-2019-19555) make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type. (CVE-2019-19746) read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write. (CVE-2019-19797) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19555 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19797 https://www.debian.org/lts/security/2020/dla-2073 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7DHT2H26YTJQC3SPYPFUPZZJG26MWGTL/ ======================== Updated package in core/updates_testing: ======================== transfig-3.2.7a-3.1.mga7 from SRPM: transfig-3.2.7a-3.1.mga7.src.rpm CVE:
(none) =>
CVE-2019-14275, CVE-2019-19555, CVE-2019-19746, CVE-2019-19797 Have run the PoC for the CVEs with positive results. Now trying to figure out how to use transfig. CC:
(none) =>
tarazed25 MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 23537 for tests, so installed xfig as well. Created a crude fig file containing a circle, a hexagon and a broken line. At ClI: $ fig2dev -L png testtransfig.fig testtransfig.png $ file testtransfig.png testtransfig.png: PNG image data, 725 x 434, 1-bit colormap, non-interlaced [tester7@mach5 Pictures]$ fig2dev -L eps testtransfig.fig testtransfig.ps [tester7@mach5 Pictures]$ fig2dev -L pdf testtransfig.fig testtransfig.pdf [tester7@mach5 Pictures]$ fig2dev -L gif testtransfig.fig testtransfig.gif [tester7@mach5 Pictures]$ fig2dev -L latex testtransfig.fig testtransfig.tex Not a LaTeX slope (1350, -1200), deviation 81.1 pixels Not a LaTeX slope (-525, -1425), deviation 54.3 pixels Not a LaTeX slope (2175, -900), deviation 36.2 pixels Not a LaTeX slope (2250, -300), deviation 85.1 pixels Not a LaTeX slope (525, 2025), deviation 22.1 pixels Not a LaTeX slope (1725, 975), deviation 70.6 pixels Not a LaTeX slope (1875, -600), deviation 30.0 pixels Not a LaTeX slope (-525, -1350), deviation 18.1 pixels Not a LaTeX slope (750, -525), deviation 28.8 pixels Not a LaTeX slope (874, 2237), deviation 25.1 pixels Not a LaTeX slope (-2374, -362), deviation 38.2 pixels Not a LaTeX slope (-874, -2237), deviation 25.1 pixels Not a LaTeX slope (2374, 362), deviation 38.2 pixels $ cat testtransfig.tex \setlength{\unitlength}{3947sp}% % \begingroup\makeatletter\ifx\SetFigFont\undefined% \gdef\SetFigFont#1#2#3#4#5{% \reset@font\fontsize{#1}{#2pt}% \fontfamily{#3}\fontseries{#4}\fontshape{#5}% \selectfont}% \fi\endgroup% \begin{picture}(10873,6501)(540,-5998) {\color[rgb]{0,0,0}\thinlines \put(7351,-2498){\oval(5988,5988)} }% {\color[rgb]{0,0,0}\put(1801,-2161){\line( 6,-5){1386.885}} \put(3151,-3361){\line(-2,-5){563.793}} \put(2626,-4786){\line( 5,-2){2185.345}} \put(4801,-5686){\line( 6,-1){2237.838}} \put(7051,-5986){\line( 1, 4){507.353}} \put(7576,-3961){\line( 5, 3){1698.529}} \put(9301,-2986){\line( 3,-1){1867.500}} \put(11176,-3586){\line(-2,-5){537.931}} \put(10651,-4936){\line( 3,-2){761.538}} }% {\color[rgb]{0,0,0}\put(4426,-3886){\line( 2, 5){891.931}} \put(5300,-1649){\line(-4, 5){1500}} \put(3800,226){\line(-6,-1){2368.541}} \put(1426,-136){\line(-2,-5){891.931}} \put(552,-2373){\line( 4,-5){1500}} \put(2052,-4248){\line( 6, 1){2368.541}} }% \end{picture}% The picture files all display OK either in gwenview or in okular. All looks OK compared to bug 23537. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update Thanks guys - did not get round to completing this. Adding the PoC test report. *Before update* CVE-2019-14275 https://sourceforge.net/p/mcj/tickets/52/ $ fig2dev -L box test01 An open rectangle at line 12 - close it. A rectangle with 5 corners at line 12 - convert to a polygon. Segmentation fault (core dumped) CVE-2019-19555 https://sourceforge.net/p/mcj/tickets/55/ $ fig2dev -L box test02 Bus error (core dumped) CVE-2019-19746 https://sourceforge.net/p/mcj/tickets/57/ $ fig2dev -L ptk id:000006_sig:11_src:000039_op:havoc_rep:2 Segmentation fault (core dumped) CVE-2019-19797 https://sourceforge.net/p/mcj/tickets/67/ $ fig2dev -L box test03 Invalid color definition: 0 1200 600 1200 600 600 :\Ŕ������L^�� T#0 600 0 120, setting to black (#00000). Segmentation fault (core dumped) *After update* $ fig2dev -L box test01 An open rectangle at line 12 - close it. A rectangle with 5 corners at line 12 - convert to a polygon. \makebox[3522.677in]{\rule{0in}{8.383in}} $ fig2dev -L box test02 r�X'.t determine fig file format from string '%�y�� $ fig2dev -L ptk id:000006_sig:11_src:000039_op:havoc_rep:2 r�X'.t determine fig file format from string '%�y�� lcl@difda:transfig $ fig2dev -L ptk id:000006_sig:11_src:000039_op:havoc_rep:2 Invalid forward arrow at line 11. $ fig2dev -L box test03 Invalid paper size specification at line 5: Let These PoC tests all look good.
Thomas Backlund
2020-03-06 15:09:20 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0116.html Resolution:
(none) =>
FIXED |