Bug 1786726 (CVE-2019-19797)

Summary: CVE-2019-19797 transfig: out-of-bounds write in read_colordef in read.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: databases-maint, hhorak, kasal, mschorm, odubaj, panovotn, pkubat, tomm.momi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in transfig in the way the `fig2dev` program handled the processing of Fig format files. Specifically, the flaw affects the translation process of Fig codes into the box graphics language. This flaw allows for potential exploitation by crashing the `fig2dev` program by tricking it into processing specially crafted Fig format files.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1786727, 1786728, 1826923, 1826924    
Bug Blocks: 1786731    

Description Guilherme de Almeida Suckevicz 2019-12-27 14:29:36 UTC
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.

Reference:
https://sourceforge.net/p/mcj/tickets/67/

Comment 1 Guilherme de Almeida Suckevicz 2019-12-27 14:30:28 UTC
Created xfig tracking bugs for this issue:

Affects: epel-7 [bug 1786728]
Affects: fedora-all [bug 1786727]

Comment 2 Hans de Goede 2020-01-15 19:48:35 UTC
fig2dev is part of transfig, not xfig.

I've update the Fedora tracking bug accordingly, EPEL does not appear to have transfig, so I believe that the EPEL tracking bug can be closed, but I'm leaving that up to you.

I'm also leaving any necessary updates to this bug (Summary?) up to you.

Comment 3 Guilherme de Almeida Suckevicz 2020-01-16 15:05:30 UTC
Thank you for your information.

Comment 4 Mauro Matteo Cascella 2020-04-20 15:17:41 UTC
Upstream fix:
https://sourceforge.net/p/mcj/fig2dev/ci/41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/

Comment 8 Mauro Matteo Cascella 2020-04-22 13:46:51 UTC
Mitigation:

Avoid loading and processing Fig format files from untrusted external sources.

Comment 10 Mauro Matteo Cascella 2020-05-26 15:14:10 UTC
There is no fixed upstream version yet. This issue affects latest upstream version 3.2.7, new version with fixes (comment #4) has not been released yet.