Ubuntu has issued an advisory on September 6: https://usn.ubuntu.com/3760-1/ Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Status comment: (none) => Patch available from UbuntuWhiteboard: (none) => MGA6TOO
Updated 3.2.7a package submitted to cauldron.
Thanks Shlomi! Patched package also uploaded for Mageia 6. Advisory: ======================== Updated transfig package fixes security vulnerability: It was discovered that transfig incorrectly handled certain FIG files. An attacker could possibly use this to execute arbitrary code (CVE-2018-16140). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16140 https://usn.ubuntu.com/3760-1/ ======================== Updated packages in core/updates_testing: ======================== transfig-3.2.5d-9.2.mga6 from transfig-3.2.5d-9.2.mga6.src.rpm
CC: (none) => shlomifWhiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: shlomif => qa-bugs
Mageia 6, x86_64 CVE-2018-16140 POC file at https://github.com/SegfaultMasters/covering360/blob/master/fig2dev/Buffer_underflow_POC $ fig2dev -L eepic Buffer_underflow_POC Invalid color definition: , setting to black (#00000). Invalid color definition: 0, setting to black (#00000). Invalid color definition: 0, setting to black (#00000). Cannot locate user color 100, using default color for line 13. Incorrect format at line 14 Updated the package. $ rpm -qa | grep transfig transfig-3.2.5d-9.2.mga6 $ fig2dev -L eepic Buffer_underflow_POC Incomplete resolution information at line 8 The update made a difference. Found a .pic file at /usr/share/groff/1.22.3/pic/chem.pic and generated a makefile. $ transfig -L gif -M Makefile chem.pic $ cat Makefile # # TransFig makefile # all: chem.gif # translation into gif chem.gif: chem.fig Makefile fig2dev -L gif chem.fig chem.gif clean:: rm -f chem.gif chem.fig: chem.pic Makefile pic2fig chem.pic > chem.fig clean:: rm -f chem.fig $ make all pic2fig chem.pic > chem.fig /bin/sh: pic2fig: command not found Makefile:15: recipe for target 'chem.fig' failed make: *** [chem.fig] Error 127 It looks like pic2fig is not part of transfig - maybe in LaTeX somewhere? However the Makefile is valid. Found a fig file somewhere and converted that to a PNG. $ fig2dev -L png shape.fig shape.png $ file shape.png shape.png: PNG image data, 640 x 293, 8-bit/color RGB, non-interlaced This displayed as a line drawing with labels. $ fig2dev -L eps shape.fig shape.ps $ gs shape.ps This showed an embedded postscript document containing the original drawing. The same file could also be converted to a valid PDF file $ fig2dev -L pdf shape.fig shape.pdf or a GIF $ fig2dev -L gif shape.fig shape.gif or a LaTeX document $ fig2dev -L latex shape.fig shape.tex Dash too small; using larger dash Dash too small; using larger dash $ cat shape.tex \setlength{\unitlength}{3947sp}% % \begingroup\makeatletter\ifx\SetFigFont\undefined% \gdef\SetFigFont#1#2#3#4#5{% \reset@font\fontsize{#1}{#2pt}% \fontfamily{#3}\fontseries{#4}\fontshape{#5}% \selectfont}% \fi\endgroup% \begin{picture}(7305,4401)(2911,-4603) \thicklines [...] \put(8176,-361){\makebox(0,0)[b]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Fade length}% }}}} \put(2926,-2536){\makebox(0,0)[rb]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Attack level}% }}}} \end{picture}% This all looks satisfactory and the CVE has been taken care of.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Rider to comment4. You can create your own .fig files with the drawing tool xfig and presumably modify existing ones.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0064.html
Status: NEW => RESOLVEDResolution: (none) => FIXED