Bug 23537 - transfig new security issue CVE-2018-16140
Summary: transfig new security issue CVE-2018-16140
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-09-07 19:06 CEST by David Walser
Modified: 2019-02-13 12:10 CET (History)
5 users (show)

See Also:
Source RPM: transfig-3.2.6a-1.mga7.src.rpm
Status comment: Patch available from Ubuntu


Description David Walser 2018-09-07 19:06:00 CEST
Ubuntu has issued an advisory on September 6:

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2018-09-08 13:12:37 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

David Walser 2019-02-03 02:03:00 CET

Status comment: (none) => Patch available from Ubuntu
Whiteboard: (none) => MGA6TOO

Comment 2 Shlomi Fish 2019-02-03 10:21:30 CET
Updated 3.2.7a package submitted to cauldron.
Comment 3 David Walser 2019-02-03 17:55:36 CET
Thanks Shlomi!

Patched package also uploaded for Mageia 6.


Updated transfig package fixes security vulnerability:

It was discovered that transfig incorrectly handled certain FIG files. An
attacker could possibly use this to execute arbitrary code (CVE-2018-16140).


Updated packages in core/updates_testing:

from transfig-3.2.5d-9.2.mga6.src.rpm

CC: (none) => shlomif
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: shlomif => qa-bugs

Comment 4 Len Lawrence 2019-02-03 21:04:06 CET
Mageia 6, x86_64

POC file at https://github.com/SegfaultMasters/covering360/blob/master/fig2dev/Buffer_underflow_POC

$ fig2dev -L eepic Buffer_underflow_POC
Invalid color definition: , setting to black (#00000).
Invalid color definition: 0, setting to black (#00000).
Invalid color definition: 	0, setting to black (#00000).
Cannot locate user color 100, using default color for line 13.
Incorrect format at line 14

Updated the package.
$ rpm -qa | grep transfig

$ fig2dev -L eepic Buffer_underflow_POC
Incomplete resolution information at line 8

The update made a difference.

Found a .pic file at /usr/share/groff/1.22.3/pic/chem.pic and generated a makefile.
$ transfig -L gif -M Makefile chem.pic
$ cat Makefile
# TransFig makefile

all: chem.gif 

# translation into gif

chem.gif: chem.fig Makefile
	fig2dev -L gif chem.fig chem.gif
	rm -f chem.gif

chem.fig: chem.pic Makefile
	pic2fig chem.pic > chem.fig
	rm -f chem.fig

$ make all
pic2fig chem.pic > chem.fig
/bin/sh: pic2fig: command not found
Makefile:15: recipe for target 'chem.fig' failed
make: *** [chem.fig] Error 127

It looks like pic2fig is not part of transfig - maybe in LaTeX somewhere?
However the Makefile is valid.

Found a fig file somewhere and converted that to a PNG.
$ fig2dev -L png shape.fig shape.png
$ file shape.png
shape.png: PNG image data, 640 x 293, 8-bit/color RGB, non-interlaced
This displayed as a line drawing with labels.

$ fig2dev -L eps shape.fig shape.ps
$ gs shape.ps
This showed an embedded postscript document containing the original drawing.
The same file could also be converted to a valid PDF file
$ fig2dev -L pdf shape.fig shape.pdf
or a GIF
$ fig2dev -L gif shape.fig shape.gif
or a LaTeX document
$ fig2dev -L latex shape.fig shape.tex
Dash too small; using larger dash
Dash too small; using larger dash

$ cat shape.tex
\put(8176,-361){\makebox(0,0)[b]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Fade length}%
\put(2926,-2536){\makebox(0,0)[rb]{\smash{{\SetFigFont{12}{14.4}{\rmdefault}{\mddefault}{\updefault}{\color[rgb]{0,0,0}Attack level}%

This all looks satisfactory and the CVE has been taken care of.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 Len Lawrence 2019-02-03 21:12:02 CET
Rider to comment4.  You can create your own .fig files with the drawing tool xfig and presumably modify existing ones.
Len Lawrence 2019-02-08 09:01:49 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-13 02:58:49 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2019-02-13 12:10:24 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.