Bug 659676 (CVE-2010-4262)

Summary: CVE-2010-4262 Xfig: Stack-based buffer overflow by processing certain FIG images
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, pertusus, sochotni, underground-stockholm, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-31 10:11:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 657981    
Bug Blocks:    
Description Flags
Local copy of the public PoC from [2]
Patch fixing this. none

Description Jan Lieskovsky 2010-12-03 12:41:10 UTC
A stack-based buffer overflow flaw was found in
the way Xfig processed certain FIG images. A remote
attacker could create a FIG image with specially-crafted
color definition, and trick the local, unsuspecting
user into opening it, which could lead to xfig executable
crash or, potentially, arbitrary code execution with
the privileges of the user running the executable.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=657981

Public PoC:
[2] https://bugzilla.redhat.com/attachment.cgi?id=463393

Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.

Comment 1 Jan Lieskovsky 2010-12-03 12:42:51 UTC
This issue affects the versions of the xfig package, as shipped with
Red Hat Enterprise Linux 4, 5, and 6.


This issue affects the versions of the xfig package, as shipped with
Fedora release of 13 and 14.

Please schedule an update.

Comment 2 Jan Lieskovsky 2010-12-03 12:44:34 UTC
Created attachment 464564 [details]
Local copy of the public PoC from [2]

Comment 4 Jan Lieskovsky 2010-12-03 13:10:50 UTC
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/03/2

Comment 5 Jan Lieskovsky 2010-12-03 13:12:36 UTC


Comment 6 Hans de Goede 2010-12-03 18:56:46 UTC
Created attachment 464628 [details]
Patch fixing this.

Hi All,

Here is a patch which was send to me by the suse xfig maintainer "Dr. Werner Fink" <werner> with whom I've worked together on various other xfig bugs.

I've reviewed and tested this and I can confirm it fixes the bug. I'm going to prepare a Fedora xfig update for this, with this patch.



Comment 7 Vincent Danen 2010-12-07 23:14:06 UTC
This has been assigned CVE-2010-4262.

Comment 8 Jan Lieskovsky 2011-03-01 17:06:49 UTC
*** Bug 657981 has been marked as a duplicate of this bug. ***