Fedora has issued an advisory on June 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C44WSY5KAQXC3Y2NMSVXXZS3M5U5U2E6/ The issue is fixed upstream in 3.2.8a. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 3.2.8aWhiteboard: (none) => MGA8TOO, MGA7TOO
Assigning to you, David, as having done the most recent updates to this parentless SRPM.
Assignee: bugsquad => geiger.david68210
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
openSUSE has issued an advisory for this on July 22: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RK4BRVCUPZKN5VS2JGWBPYITONWJCIZJ/
fixed in cauldron
CC: (none) => mageiaVersion: Cauldron => 8
fixed in mga8 src: - transfig-3.2.8a-1.mga8
Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 3.2.8a => (none)
MGA8-64 Plasmaon Lenovo B50 No installation issues. Installed xfig to make a vector graphic, with a circle, rectangle, hexagon and a broken line. Ref bug 26146 Comment 6 for testing. At CLI: $ fig2dev -L png testtransfig.fig testtransfig.png $ file testtransfig.png testtransfig.png: PNG image data, 781 x 626, 1-bit colormap, non-interlaced $ fig2dev -L eps testtransfig.fig testtransfig.ps $ fig2dev -L pdf testtransfig.fig testtransfig.pdf $ fig2dev -L gif testtransfig.fig testtransfig.gif $ fig2dev -L latex testtransfig.fig testtransfig.tex Not a LaTeX slope (3300, -600), deviation 56.8 pixels Not a LaTeX slope (-525, -3375), deviation 42.6 pixels Not a LaTeX slope (-6825, 525), deviation 525.0 pixels Not a LaTeX slope (-750, 1050), deviation 42.0 pixels Not a LaTeX slope (-1260, -832), deviation 9.2 pixels Not a LaTeX slope (1260, 832), deviation 9.2 pixels $ cat testtransfig.tex \setlength{\unitlength}{3947sp}% % \begingroup\makeatletter\ifx\SetFigFont\undefined% \gdef\SetFigFont#1#2#3#4#5{% \reset@font\fontsize{#1}{#2pt}% \fontfamily{#3}\fontseries{#4}\fontshape{#5}% \selectfont}% \fi\endgroup% \begin{picture}(11715,9390)(1048,-9073) {\color[rgb]{0,0,0}\thinlines \put(2701,-1336){\oval(3290,3290)} }% {\color[rgb]{0,0,0}\put(5926,-7636){\framebox(6300,3300){}} }% {\color[rgb]{0,0,0}\put(1726,-4186){\line( 6, 1){7200}} \put(8926,-2986){\line( 6,-1){3308.108}} \put(12226,-3586){\line( 1,-4){525}} \put(12751,-5686){\line(-1,-6){561.486}} \put(12226,-9061){\line(-1, 0){6825}} \put(5401,-8536){\line(-3, 4){774}} }% {\color[rgb]{0,0,0}\put(8326,-2086){\line( 0, 1){1507}} \put(8236,-579){\line(-2, 1){1350}} \put(6886, 96){\line(-3,-2){1256.308}} \put(5626,-736){\line( 0,-1){1507}} \put(5716,-2243){\line( 2,-1){1350}} \put(7066,-2918){\line( 3, 2){1256.308}} }% \end{picture}% The picture files all display OK either in gwenview or in okular. So OK for me
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
type: security subject: Updated transfig package fixes a security vulnerability CVE: - CVE-2021-3561 src: 8: core: - transfig-3.2.8a-1.mga8 description: | An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bounds check in read_objects() could allow an attacker to provide a crafted malicious input causing the application to either crash or in some cases cause memory corruption. The highest threat from this vulnerability is to integrity as well as system availability (CVE-2021-3561). references: - https://bugs.mageia.org/show_bug.cgi?id=29126 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RK4BRVCUPZKN5VS2JGWBPYITONWJCIZJ/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C44WSY5KAQXC3Y2NMSVXXZS3M5U5U2E6/
Keywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-3561CC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0379.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2020-2168[0-3]: https://lists.suse.com/pipermail/sle-security-updates/2021-September/009457.html https://bugzilla.suse.com/show_bug.cgi?id=1189343 https://bugzilla.suse.com/show_bug.cgi?id=1189345 https://bugzilla.suse.com/show_bug.cgi?id=1189346 https://bugzilla.suse.com/show_bug.cgi?id=1189325
This update also fixed CVE-2020-21529 CVE-2020-2153[0-5] CVE-2021-32280: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EBZZA2GBLUHRWOSJZPQSU2KHSYN4PFJK/