Created transfig tracking bugs for this issue:

Affects: fedora-all [bug 1627975]

Reproduces on F28 with transfig-3.2.6a-2.fc28.x86_64:

# fig2dev -L tikz CVE-2018-16140 2>&1 | ./asan_symbolizer.py 
Invalid color definition: , setting to black (#00000).
Invalid color definition: 0, setting to black (#00000).
Invalid color definition: 	0, setting to black (#00000).
Cannot locate user color 100, using default color for line 13.
=================================================================
==26==ERROR: AddressSanitizer: global-buffer-overflow on address 0x564db2d93e7f at pc 0x564db2a0ef63 bp 0x7ffd37893c80 sp 0x7ffd37893c70
READ of size 1 at 0x564db2d93e7f thread T0
    #0 0x564db2a0ef62 in ?? /usr/src/debug/transfig-3.2.6a-2.fc28.x86_64/fig2dev/read.c:1403
    #1 0x564db2a15277 in ?? /usr/src/debug/transfig-3.2.6a-2.fc28.x86_64/fig2dev/read.c:337
    #2 0x564db29fe982 in ?? /usr/src/debug/transfig-3.2.6a-2.fc28.x86_64/fig2dev/fig2dev.c:412
    #3 0x7f62c42da11a in __libc_start_main (/lib64/libc.so.6+0x2311a)
    #3 0x564db29ff7d9 in ?? ??:0

0x564db2d93e7f is located 1 bytes to the left of global variable 'buf' defined in 'read.c:85:14' (0x564db2d93e80) of size 1024
0x564db2d93e7f is located 59 bytes to the right of global variable 'line_no' defined in 'read.c:86:13' (0x564db2d93e40) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/bin/fig2dev+0x75f62)
Shadow bytes around the buggy address:
  0x0aca365aa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aca365aa7c0: 00 00 00 00 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9[f9]
  0x0aca365aa7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aca365aa810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Apart from vulnerable get_line() function, similar issue can be found in read_objects() function as well, which was recently fixed in upstream:

https://sourceforge.net/p/mcj/fig2dev/ci/102f607eea49785d4a9c9c24af85f046c23674de/tree/fig2dev/read.c?diff=cd34790ba772ec9e1a6a1a868d3c39e093ab8475

with corresponding diff:

    memset((char*)obj, '\0', COMOBJ_SIZE);
-   (void) fgets(buf, BUF_SIZE, fp);    /* get the version line */
+   (void) fgets(buf, BUFSIZ, fp);  /* get the version line */
    len = strlen(buf);
    if (len > 0)
        buf[len-1] = '\0';          /* remove newline */
-   if (buf[len-2] == '\r')
+   if (len > 1 && buf[len-2] == '\r')
        buf[len-2] = '\0';          /* and any CR (from a PC perhaps) */

Given the minimal impact, we don't plan to request CVE for it.

Created transfig tracking bugs for this issue:

Affects: fedora-all [bug 1632824]

@Adam Mariš, where can we download the updated version of fig2dev?

Statement:

This issue affects the versions of transfig as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the versions of transfig as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.