Bug 29126 - transfig new security issue CVE-2021-3561
Summary: transfig new security issue CVE-2021-3561
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-06-13 23:51 CEST by David Walser
Modified: 2021-10-30 20:01 CEST (History)
4 users (show)

See Also:
Source RPM: transfig-3.2.7b-3.mga8.src.rpm
CVE: CVE-2021-3561
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-06-13 23:51:33 CEST 
Fedora has issued an advisory on June 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C44WSY5KAQXC3Y2NMSVXXZS3M5U5U2E6/

The issue is fixed upstream in 3.2.8a.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-13 23:51:48 CEST

Status comment: (none) => Fixed upstream in 3.2.8a
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-14 21:15:15 CEST 
Assigning to you, David, as having done the most recent updates to this parentless SRPM.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2021-07-01 18:57:31 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 3 David Walser 2021-07-23 22:04:45 CEST 
openSUSE has issued an advisory for this on July 22:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RK4BRVCUPZKN5VS2JGWBPYITONWJCIZJ/
Comment 4 Nicolas Lécureuil 2021-07-26 11:13:55 CEST 
fixed in cauldron

CC: (none) => mageia
Version: Cauldron => 8

Comment 5 Nicolas Lécureuil 2021-07-26 11:17:40 CEST 
fixed in mga8

src:
    - transfig-3.2.8a-1.mga8

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 3.2.8a => (none)

Comment 6 Herman Viaene 2021-07-27 14:51:57 CEST 
MGA8-64 Plasmaon Lenovo B50
No installation issues.
Installed xfig to make a vector graphic, with a circle, rectangle, hexagon and a broken line. 
Ref bug 26146 Comment 6 for testing.
At CLI:
$ fig2dev -L png testtransfig.fig testtransfig.png

$ file testtransfig.png 
testtransfig.png: PNG image data, 781 x 626, 1-bit colormap, non-interlaced

$ fig2dev -L eps testtransfig.fig testtransfig.ps
$ fig2dev -L pdf testtransfig.fig testtransfig.pdf
$ fig2dev -L gif testtransfig.fig testtransfig.gif
$  fig2dev -L latex testtransfig.fig testtransfig.tex
Not a LaTeX slope (3300, -600), deviation 56.8 pixels
Not a LaTeX slope (-525, -3375), deviation 42.6 pixels
Not a LaTeX slope (-6825, 525), deviation 525.0 pixels
Not a LaTeX slope (-750, 1050), deviation 42.0 pixels
Not a LaTeX slope (-1260, -832), deviation 9.2 pixels
Not a LaTeX slope (1260, 832), deviation 9.2 pixels

$ cat testtransfig.tex 
\setlength{\unitlength}{3947sp}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined%
\gdef\SetFigFont#1#2#3#4#5{%
  \reset@font\fontsize{#1}{#2pt}%
  \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
  \selectfont}%
\fi\endgroup%
\begin{picture}(11715,9390)(1048,-9073)
{\color[rgb]{0,0,0}\thinlines
\put(2701,-1336){\oval(3290,3290)}
}%
{\color[rgb]{0,0,0}\put(5926,-7636){\framebox(6300,3300){}}
}%
{\color[rgb]{0,0,0}\put(1726,-4186){\line( 6, 1){7200}}
\put(8926,-2986){\line( 6,-1){3308.108}}
\put(12226,-3586){\line( 1,-4){525}}
\put(12751,-5686){\line(-1,-6){561.486}}
\put(12226,-9061){\line(-1, 0){6825}}
\put(5401,-8536){\line(-3, 4){774}}
}%
{\color[rgb]{0,0,0}\put(8326,-2086){\line( 0, 1){1507}}
\put(8236,-579){\line(-2, 1){1350}}
\put(6886, 96){\line(-3,-2){1256.308}}
\put(5626,-736){\line( 0,-1){1507}}
\put(5716,-2243){\line( 2,-1){1350}}
\put(7066,-2918){\line( 3, 2){1256.308}}
}%
\end{picture}%

The picture files all display OK either in gwenview or in okular. 
So OK for me

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Aurelien Oudelet 2021-07-27 20:58:44 CEST 
type: security
subject: Updated transfig package fixes a security vulnerability
CVE:
 - CVE-2021-3561
src:
  8:
   core:
     - transfig-3.2.8a-1.mga8
description: |
  An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bounds check
  in read_objects() could allow an attacker to provide a crafted malicious input
  causing the application to either crash or in some cases cause memory
  corruption. The highest threat from this vulnerability is to integrity as well
  as system availability (CVE-2021-3561).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29126
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RK4BRVCUPZKN5VS2JGWBPYITONWJCIZJ/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C44WSY5KAQXC3Y2NMSVXXZS3M5U5U2E6/

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-3561
CC: (none) => ouaurelien, sysadmin-bugs

Comment 8 Mageia Robot 2021-07-27 22:23:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0379.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 David Walser 2021-10-30 20:01:43 CEST 
This update also fixed CVE-2020-21529 CVE-2020-2153[0-5] CVE-2021-32280:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EBZZA2GBLUHRWOSJZPQSU2KHSYN4PFJK/
Note You need to log in before you can comment on or make changes to this bug.