Bug 23537 - transfig new security issue CVE-2018-16140
Summary: transfig new security issue CVE-2018-16140
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-07 19:06 CEST by David Walser
Modified: 2019-02-13 12:10 CET (History)
5 users (show)

See Also:
Source RPM: transfig-3.2.6a-1.mga7.src.rpm
CVE:
Status comment: Patch available from Ubuntu


Attachments

Description David Walser 2018-09-07 19:06:00 CEST
Ubuntu has issued an advisory on September 6:
https://usn.ubuntu.com/3760-1/

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2018-09-08 13:12:37 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

David Walser 2019-02-03 02:03:00 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patch available from Ubuntu

Comment 2 Shlomi Fish 2019-02-03 10:21:30 CET
Updated 3.2.7a package submitted to cauldron.
Comment 3 David Walser 2019-02-03 17:55:36 CET
Thanks Shlomi!

Patched package also uploaded for Mageia 6.

Advisory:
========================

Updated transfig package fixes security vulnerability:

It was discovered that transfig incorrectly handled certain FIG files. An
attacker could possibly use this to execute arbitrary code (CVE-2018-16140).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16140
https://usn.ubuntu.com/3760-1/
========================

Updated packages in core/updates_testing:
========================
transfig-3.2.5d-9.2.mga6

from transfig-3.2.5d-9.2.mga6.src.rpm

Assignee: shlomif => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => shlomif

Comment 4 Len Lawrence 2019-02-03 21:04:06 CET
Mageia 6, x86_64

CVE-2018-16140
POC file at https://github.com/SegfaultMasters/covering360/blob/master/fig2dev/Buffer_underflow_POC

$ fig2dev -L eepic Buffer_underflow_POC
Invalid color definition: , setting to black (#00000).
Invalid color definition: 0, setting to black (#00000).
Invalid color definition: 	0, setting to black (#00000).
Cannot locate user color 100, using default color for line 13.
Incorrect format at line 14

Updated the package.
$ rpm -qa | grep transfig
transfig-3.2.5d-9.2.mga6

$ fig2dev -L eepic Buffer_underflow_POC
Incomplete resolution information at line 8

The update made a difference.

Found a .pic file at /usr/share/groff/1.22.3/pic/chem.pic and generated a makefile.
$ transfig -L gif -M Makefile chem.pic
$ cat Makefile
#
# TransFig makefile
#

all: chem.gif 

# translation into gif

chem.gif: chem.fig Makefile
	fig2dev -L gif chem.fig chem.gif
clean::
	rm -f chem.gif

chem.fig: chem.pic Makefile
	pic2fig chem.pic > chem.fig
clean::
	rm -f chem.fig

$ make all
pic2fig chem.pic > chem.fig
/bin/sh: pic2fig: command not found
Makefile:15: recipe for target 'chem.fig' failed
make: *** [chem.fig] Error 127

It looks like pic2fig is not part of transfig - maybe in LaTeX somewhere?
However the Makefile is valid.

Found a fig file somewhere and converted that to a PNG.
$ fig2dev -L png shape.fig shape.png
$ file shape.png
shape.png: PNG image data, 640 x 293, 8-bit/color RGB, non-interlaced
This displayed as a line drawing with labels.

$ fig2dev -L eps shape.fig shape.ps
$ gs shape.ps
This showed an embedded postscript document containing the original drawing.
The same file could also be converted to a valid PDF file
$ fig2dev -L pdf shape.fig shape.pdf
or a GIF
$ fig2dev -L gif shape.fig shape.gif
or a LaTeX document
$ fig2dev -L latex shape.fig shape.tex
Dash too small; using larger dash
Dash too small; using larger dash

$ cat shape.tex
\setlength{\unitlength}{3947sp}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined%
\gdef\SetFigFont#1#2#3#4#5{%
  \reset@font\fontsize{#1}{#2pt}%
  \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
  \selectfont}%
\fi\endgroup%
\begin{picture}(7305,4401)(2911,-4603)
\thicklines
[...]
\put(8176,-361){\makebox(0,0)[b]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Fade length}%
}}}}
\put(2926,-2536){\makebox(0,0)[rb]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Attack level}%
}}}}
\end{picture}%

This all looks satisfactory and the CVE has been taken care of.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 5 Len Lawrence 2019-02-03 21:12:02 CET
Rider to comment4.  You can create your own .fig files with the drawing tool xfig and presumably modify existing ones.
Len Lawrence 2019-02-08 09:01:49 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2019-02-13 02:58:49 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2019-02-13 12:10:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0064.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.