Debian-LTS has issued an advisory on January 23: https://www.debian.org/lts/security/2020/dla-2073 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to Shlomi, the active maintainer.
Assignee: bugsquad => shlomif
Fedora has issued an advisory on January 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7DHT2H26YTJQC3SPYPFUPZZJG26MWGTL/ It fixes two other issues. They also updated xfig along with it: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ILJM2G6NM5MMBKTT5CH23TAI6DJGNW36/
Summary: transfig new security issues CVE-2019-14275 and CVE-2019-19555 => transfig new security issues CVE-2019-14275, CVE-2019-19555, CVE-2019-19746, CVE-2019-19797Assignee: shlomif => bugsquad
Assignee: bugsquad => pkg-bugsCC: (none) => shlomif
3.2.7b contains the fixes for the first two issues, which were fixed in these commits: https://sourceforge.net/p/mcj/fig2dev/ci/03ea4578258d2d9ca1ceb080e469ad261db39ef0/ https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/ David Geiger patched the second two issues in transfig-3.2.7b-2.mga8.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
CC: (none) => geiger.david68210
Status comment: (none) => Patches available from upstream and Fedora
Suggested advisory: ======================== The updated package fixes security vulnerabilities: Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arrow function in bound.c. (CVE-2019-14275) read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buffer overflow because of an incorrect sscanf. (CVE-2019-19555) make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type. (CVE-2019-19746) read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write. (CVE-2019-19797) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19555 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19797 https://www.debian.org/lts/security/2020/dla-2073 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7DHT2H26YTJQC3SPYPFUPZZJG26MWGTL/ ======================== Updated package in core/updates_testing: ======================== transfig-3.2.7a-3.1.mga7 from SRPM: transfig-3.2.7a-3.1.mga7.src.rpm
CVE: (none) => CVE-2019-14275, CVE-2019-19555, CVE-2019-19746, CVE-2019-19797Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from upstream and Fedora => (none)Source RPM: transfig-3.2.7b-1.mga8.src.rpm => transfig-3.2.7a-3.mga7.src.rpmCC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
Have run the PoC for the CVEs with positive results. Now trying to figure out how to use transfig.
CC: (none) => tarazed25
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 23537 for tests, so installed xfig as well. Created a crude fig file containing a circle, a hexagon and a broken line. At ClI: $ fig2dev -L png testtransfig.fig testtransfig.png $ file testtransfig.png testtransfig.png: PNG image data, 725 x 434, 1-bit colormap, non-interlaced [tester7@mach5 Pictures]$ fig2dev -L eps testtransfig.fig testtransfig.ps [tester7@mach5 Pictures]$ fig2dev -L pdf testtransfig.fig testtransfig.pdf [tester7@mach5 Pictures]$ fig2dev -L gif testtransfig.fig testtransfig.gif [tester7@mach5 Pictures]$ fig2dev -L latex testtransfig.fig testtransfig.tex Not a LaTeX slope (1350, -1200), deviation 81.1 pixels Not a LaTeX slope (-525, -1425), deviation 54.3 pixels Not a LaTeX slope (2175, -900), deviation 36.2 pixels Not a LaTeX slope (2250, -300), deviation 85.1 pixels Not a LaTeX slope (525, 2025), deviation 22.1 pixels Not a LaTeX slope (1725, 975), deviation 70.6 pixels Not a LaTeX slope (1875, -600), deviation 30.0 pixels Not a LaTeX slope (-525, -1350), deviation 18.1 pixels Not a LaTeX slope (750, -525), deviation 28.8 pixels Not a LaTeX slope (874, 2237), deviation 25.1 pixels Not a LaTeX slope (-2374, -362), deviation 38.2 pixels Not a LaTeX slope (-874, -2237), deviation 25.1 pixels Not a LaTeX slope (2374, 362), deviation 38.2 pixels $ cat testtransfig.tex \setlength{\unitlength}{3947sp}% % \begingroup\makeatletter\ifx\SetFigFont\undefined% \gdef\SetFigFont#1#2#3#4#5{% \reset@font\fontsize{#1}{#2pt}% \fontfamily{#3}\fontseries{#4}\fontshape{#5}% \selectfont}% \fi\endgroup% \begin{picture}(10873,6501)(540,-5998) {\color[rgb]{0,0,0}\thinlines \put(7351,-2498){\oval(5988,5988)} }% {\color[rgb]{0,0,0}\put(1801,-2161){\line( 6,-5){1386.885}} \put(3151,-3361){\line(-2,-5){563.793}} \put(2626,-4786){\line( 5,-2){2185.345}} \put(4801,-5686){\line( 6,-1){2237.838}} \put(7051,-5986){\line( 1, 4){507.353}} \put(7576,-3961){\line( 5, 3){1698.529}} \put(9301,-2986){\line( 3,-1){1867.500}} \put(11176,-3586){\line(-2,-5){537.931}} \put(10651,-4936){\line( 3,-2){761.538}} }% {\color[rgb]{0,0,0}\put(4426,-3886){\line( 2, 5){891.931}} \put(5300,-1649){\line(-4, 5){1500}} \put(3800,226){\line(-6,-1){2368.541}} \put(1426,-136){\line(-2,-5){891.931}} \put(552,-2373){\line( 4,-5){1500}} \put(2052,-4248){\line( 6, 1){2368.541}} }% \end{picture}% The picture files all display OK either in gwenview or in okular. All looks OK compared to bug 23537.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Thanks guys - did not get round to completing this. Adding the PoC test report. *Before update* CVE-2019-14275 https://sourceforge.net/p/mcj/tickets/52/ $ fig2dev -L box test01 An open rectangle at line 12 - close it. A rectangle with 5 corners at line 12 - convert to a polygon. Segmentation fault (core dumped) CVE-2019-19555 https://sourceforge.net/p/mcj/tickets/55/ $ fig2dev -L box test02 Bus error (core dumped) CVE-2019-19746 https://sourceforge.net/p/mcj/tickets/57/ $ fig2dev -L ptk id:000006_sig:11_src:000039_op:havoc_rep:2 Segmentation fault (core dumped) CVE-2019-19797 https://sourceforge.net/p/mcj/tickets/67/ $ fig2dev -L box test03 Invalid color definition: 0 1200 600 1200 600 600 :\Ŕ������L^�� T#0 600 0 120, setting to black (#00000). Segmentation fault (core dumped) *After update* $ fig2dev -L box test01 An open rectangle at line 12 - close it. A rectangle with 5 corners at line 12 - convert to a polygon. \makebox[3522.677in]{\rule{0in}{8.383in}} $ fig2dev -L box test02 r�X'.t determine fig file format from string '%�y�� $ fig2dev -L ptk id:000006_sig:11_src:000039_op:havoc_rep:2 r�X'.t determine fig file format from string '%�y�� lcl@difda:transfig $ fig2dev -L ptk id:000006_sig:11_src:000039_op:havoc_rep:2 Invalid forward arrow at line 11. $ fig2dev -L box test03 Invalid paper size specification at line 5: Let These PoC tests all look good.
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0116.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED