PEDAMACHEPHEPTOLIONES and D.B. COOPER found a stack-based buffer overflow, present in Xfig, Transfig by loading malformed .FIG files. A remote attacker could provide a specially-crafted .FIG text object file, which once opened by a local, unsuspecting user would lead to denial of service (Xfig, fig2dev crash). References: ----------- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274 Fortran PoC by PEDAMACHEPHEPTOLIONES: ------------------------------------- http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=xfig_poc.f;att=1;bug=559274 CVE was requested here: ----------------------- http://www.openwall.com/lists/oss-security/2009/12/03/2
Created attachment 375778 [details] Local copy of Fortran Xfig PoC from PEDAMACHEPHEPTOLIONES, D.B. COOPER
This issue do NOT affect the versions of the xfig and transfig packages, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the xfig and transfig packages, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the xfig and transfig packages, as shipped with Fedora release of 10, 11, 12 and Fedora Rawhide.
Created attachment 376059 [details] PATCH: fixing this for xfig Here is a proposed patch for xfig-3.2.5b, which fixes this overflow. Note that after this xfig will still crash on plane.fig, going into a recursive function call loop inside u_bound.c, till it exceeds its maximum stack size. This may caused be caused by the use of an uninitialzed variable resolution (for 1.3 files) inside f_read.c:readfp_fig() when calling scale_figure(). Given that this other bug has lingered for quite a long while, I'm wondering if 1.3 format support is still functional at all, and if it would not be better to simply disable it ? Can anyone provide me with some valid 1.3 format files to see how much work it will be to fix 1.3 format support ?
The CVE identifiers of CVE-2009-4227 and CVE-2009-4228 has been assigned for Xfig by MITRE: --------------------------------------------------------------------------- a, CVE-2009-4227 Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4227 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274 http://www.securityfocus.com/bid/37193 http://secunia.com/advisories/37571 http://secunia.com/advisories/37577 http://xforce.iss.net/xforce/xfdb/54525 --------------------------------------------------------------------------- b, CVE-2009-4228 Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and earlier allows remote attackers to cause a denial of service (application crash) via a long string in a malformed .fig file that uses the 1.3 file format, possibly related to the readfp_fig function in f_read.c. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4228 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274
This should not affect Fedora 11 or higher at all. The stack protection bits are doing their job, as noted by: % xfig plane.fig|head zsh: correct 'xfig' to '_xfig' [nyae]? n *** stack smashing detected ***: xfig-Xaw3d terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3b2d4f6ea7] /lib64/libc.so.6(__fortify_fail+0x0)[0x3b2d4f6e70] ... Likewise, the spec in Fedora uses: make XFIGDOCDIR=%{_docdir}/%{name}-%{version} \ CDEBUGFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -fno-strength-reduce -fno-strict-aliasing" and: % strings /usr/bin/xfig-Xaw3d|grep stack __stack_chk_fail By rights this should affect Fedora 10 since %optflags does not have -fstack-protector, but the results of running the proof of concept are the same (stack smashing detected), and strings should __stack_chk_fail is present so I'm not quite sure why this is aborted on Fedora 10.
The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Created transfig tracking bugs for this issue Affects: fedora-all [bug 845605]
Created xfig tracking bugs for this issue Affects: fedora-all [bug 845606]
(In reply to comment #12) > Created xfig tracking bugs for this issue > > Affects: fedora-all [bug 845606] Fixed for Fedora-16 - Fedora-18 & rawhide, updates for Fedora-16 & Fedora-17 are here: https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16 https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17
(In reply to comment #16) > (In reply to comment #12) > > Created xfig tracking bugs for this issue > > > > Affects: fedora-all [bug 845606] > > Fixed for Fedora-16 - Fedora-18 & rawhide, updates for Fedora-16 & Fedora-17 > are here: > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16 > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17 Should not bug #845606 reflect that then and be closed?
(In reply to comment #17) > > Fixed for Fedora-16 - Fedora-18 & rawhide, updates for Fedora-16 & Fedora-17 > > are here: > > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16 > > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17 > > Should not bug #845606 reflect that then and be closed? It will be automatically closed by bodhi once the update has been moved from updates-testing to the regular (stable) updates repository.
(In reply to comment #18) > > > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16 > > > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17 > > > > Should not bug #845606 reflect that then and be closed? > > It will be automatically closed by bodhi once the update has been moved from > updates-testing to the regular (stable) updates repository. Those two update request do not reference bug #845606, so it will not be auto-closed when updates are pushed to stable. It will need to be added to the bug list to have it closed.
(In reply to comment #19) > > It will be automatically closed by bodhi once the update has been moved from > > updates-testing to the regular (stable) updates repository. > > Those two update request do not reference bug #845606, so it will not be > auto-closed when updates are pushed to stable. It will need to be added to > the bug list to have it closed. Ah yes, my bad, fixed now.
xfig-3.2.5-32.b.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
xfig-3.2.5-32.b.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
transfig-3.2.5d-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
transfig-3.2.5d-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Not planned to be fixed in future Red Hat Enterprise Linux updates.