Bug 29608 - transfig new security issues fixed upstream in 3.2.8b
Summary: transfig new security issues fixed upstream in 3.2.8b
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-30 20:04 CEST by David Walser
Modified: 2021-11-18 22:52 CET (History)
5 users (show)

See Also:
Source RPM: transfig-3.2.8a-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-30 20:04:13 CEST 
transfig 3.2.8b has been released in August 2021:
https://sourceforge.net/p/mcj/fig2dev/ci/3.2.8b/tree/CHANGES

It fixes buffer overflows, segfaults, and other bugs.

Mageia 8 is also affected.
David Walser 2021-10-30 20:04:26 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => mageia

Comment 1 Lewis Smith 2021-10-30 21:21:02 CEST 
No particular packager visible for this SRPM, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2021-11-07 00:10:23 CET 
fixed in mga8/9


src:
    - transfig-3.2.8b-1.mga8

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-11-12 16:10:10 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 29126 for testing (deleting first the result files from previous version.
At CLI:
$ fig2dev -L png testtransfig.fig testtransfig.png
$ file testtransfig.png
testtransfig.png: PNG image data, 781 x 626, 1-bit colormap, non-interlaced
$ fig2dev -L eps testtransfig.fig testtransfig.ps
$  fig2dev -L pdf testtransfig.fig testtransfig.pdf
$ fig2dev -L gif testtransfig.fig testtransfig.gif
$ fig2dev -L latex testtransfig.fig testtransfig.tex
Not a LaTeX slope (3300, -600), deviation 56.8 pixels
Not a LaTeX slope (-525, -3375), deviation 42.6 pixels
Not a LaTeX slope (-6825, 525), deviation 525.0 pixels
Not a LaTeX slope (-750, 1050), deviation 42.0 pixels
Not a LaTeX slope (-1260, -832), deviation 9.2 pixels
Not a LaTeX slope (1260, 832), deviation 9.2 pixels
$ cat testtransfig.tex 
\setlength{\unitlength}{3947sp}%
%
\begingroup\makeatletter\ifx\SetFigFont\undefined%
\gdef\SetFigFont#1#2#3#4#5{%
  \reset@font\fontsize{#1}{#2pt}%
  \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
  \selectfont}%
\fi\endgroup%
\begin{picture}(11715,9390)(1048,-9073)
{\color[rgb]{0,0,0}\thinlines
\put(2701,-1336){\oval(3290,3290)}
}%
{\color[rgb]{0,0,0}\put(5926,-7636){\framebox(6300,3300){}}
}%
{\color[rgb]{0,0,0}\put(1726,-4186){\line( 6, 1){7200}}
\put(8926,-2986){\line( 6,-1){3308.108}}
\put(12226,-3586){\line( 1,-4){525}}
\put(12751,-5686){\line(-1,-6){561.486}}
\put(12226,-9061){\line(-1, 0){6825}}
\put(5401,-8536){\line(-3, 4){774}}
}%
{\color[rgb]{0,0,0}\put(8326,-2086){\line( 0, 1){1507}}
\put(8236,-579){\line(-2, 1){1350}}
\put(6886, 96){\line(-3,-2){1256.308}}
\put(5626,-736){\line( 0,-1){1507}}
\put(5716,-2243){\line( 2,-1){1350}}
\put(7066,-2918){\line( 3, 2){1256.308}}
}%
\end{picture}%

The picture files all display OK either in gwenview or in okular. 
So OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-11-13 16:39:04 CET 
I'm glad you grabbed this one, Herman. I thought about trying to stumble my way through it, but far better to have experienced eyes looking at it.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-11-18 19:15:54 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-11-18 22:52:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0513.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.