Bug 659676 - (CVE-2010-4262) CVE-2010-4262 Xfig: Stack-based buffer overflow by processing certain FIG images
CVE-2010-4262 Xfig: Stack-based buffer overflow by processing certain FIG images
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20101128,reported=20101202,sou...
: Security
: 657981 (view as bug list)
Depends On: 657981
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-03 07:41 EST by Jan Lieskovsky
Modified: 2016-03-31 06:11 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-31 06:11:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Local copy of the public PoC from [2] (1.02 KB, text/plain)
2010-12-03 07:44 EST, Jan Lieskovsky
no flags Details
Patch fixing this. (617 bytes, patch)
2010-12-03 13:56 EST, Hans de Goede
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2010-12-03 07:41:10 EST
A stack-based buffer overflow flaw was found in
the way Xfig processed certain FIG images. A remote
attacker could create a FIG image with specially-crafted
color definition, and trick the local, unsuspecting
user into opening it, which could lead to xfig executable
crash or, potentially, arbitrary code execution with
the privileges of the user running the executable.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=657981

Public PoC:
[2] https://bugzilla.redhat.com/attachment.cgi?id=463393

Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.
Comment 1 Jan Lieskovsky 2010-12-03 07:42:51 EST
This issue affects the versions of the xfig package, as shipped with
Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the versions of the xfig package, as shipped with
Fedora release of 13 and 14.

Please schedule an update.
Comment 2 Jan Lieskovsky 2010-12-03 07:44:34 EST
Created attachment 464564 [details]
Local copy of the public PoC from [2]
Comment 4 Jan Lieskovsky 2010-12-03 08:10:50 EST
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/03/2
Comment 5 Jan Lieskovsky 2010-12-03 08:12:36 EST
Statement:

(none)
Comment 6 Hans de Goede 2010-12-03 13:56:46 EST
Created attachment 464628 [details]
Patch fixing this.

Hi All,

Here is a patch which was send to me by the suse xfig maintainer "Dr. Werner Fink" <werner@suse.de> with whom I've worked together on various other xfig bugs.

I've reviewed and tested this and I can confirm it fixes the bug. I'm going to prepare a Fedora xfig update for this, with this patch.

Regards,

Hans
Comment 7 Vincent Danen 2010-12-07 18:14:06 EST
This has been assigned CVE-2010-4262.
Comment 8 Jan Lieskovsky 2011-03-01 12:06:49 EST
*** Bug 657981 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.