Red Hat Bugzilla – Bug 1627974
CVE-2018-16140 transfig: Buffer underwrite in read.c:get_line() via crafted FIG file
Last modified: 2018-10-30 00:15:56 EDT
A buffer underwrite vulnerability in get_line() (read.c) in fig2dev 3.2.7a allows an attacker to write prior to the beginning of the buffer via a crafted .fig file. Upstream Bug: https://sourceforge.net/p/mcj/tickets/28/ Upstream Patch: https://sourceforge.net/p/mcj/fig2dev/ci/e0c4b02429116b15ad1568c2c425f06b95b95830
Created transfig tracking bugs for this issue: Affects: fedora-all [bug 1627975]
Reproduces on F28 with transfig-3.2.6a-2.fc28.x86_64: # fig2dev -L tikz CVE-2018-16140 2>&1 | ./asan_symbolizer.py Invalid color definition: , setting to black (#00000). Invalid color definition: 0, setting to black (#00000). Invalid color definition: 0, setting to black (#00000). Cannot locate user color 100, using default color for line 13. ================================================================= ==26==ERROR: AddressSanitizer: global-buffer-overflow on address 0x564db2d93e7f at pc 0x564db2a0ef63 bp 0x7ffd37893c80 sp 0x7ffd37893c70 READ of size 1 at 0x564db2d93e7f thread T0 #0 0x564db2a0ef62 in ?? /usr/src/debug/transfig-3.2.6a-2.fc28.x86_64/fig2dev/read.c:1403 #1 0x564db2a15277 in ?? /usr/src/debug/transfig-3.2.6a-2.fc28.x86_64/fig2dev/read.c:337 #2 0x564db29fe982 in ?? /usr/src/debug/transfig-3.2.6a-2.fc28.x86_64/fig2dev/fig2dev.c:412 #3 0x7f62c42da11a in __libc_start_main (/lib64/libc.so.6+0x2311a) #3 0x564db29ff7d9 in ?? ??:0 0x564db2d93e7f is located 1 bytes to the left of global variable 'buf' defined in 'read.c:85:14' (0x564db2d93e80) of size 1024 0x564db2d93e7f is located 59 bytes to the right of global variable 'line_no' defined in 'read.c:86:13' (0x564db2d93e40) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/bin/fig2dev+0x75f62) Shadow bytes around the buggy address: 0x0aca365aa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0aca365aa7c0: 00 00 00 00 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9[f9] 0x0aca365aa7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aca365aa810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apart from vulnerable get_line() function, similar issue can be found in read_objects() function as well, which was recently fixed in upstream: https://sourceforge.net/p/mcj/fig2dev/ci/102f607eea49785d4a9c9c24af85f046c23674de/tree/fig2dev/read.c?diff=cd34790ba772ec9e1a6a1a868d3c39e093ab8475 with corresponding diff: memset((char*)obj, '\0', COMOBJ_SIZE); - (void) fgets(buf, BUF_SIZE, fp); /* get the version line */ + (void) fgets(buf, BUFSIZ, fp); /* get the version line */ len = strlen(buf); if (len > 0) buf[len-1] = '\0'; /* remove newline */ - if (buf[len-2] == '\r') + if (len > 1 && buf[len-2] == '\r') buf[len-2] = '\0'; /* and any CR (from a PC perhaps) */ Given the minimal impact, we don't plan to request CVE for it.
Created transfig tracking bugs for this issue: Affects: fedora-all [bug 1632824]
@Adam Mariš, where can we download the updated version of fig2dev?