Bug 659676 (CVE-2010-4262) - CVE-2010-4262 Xfig: Stack-based buffer overflow by processing certain FIG images
Summary: CVE-2010-4262 Xfig: Stack-based buffer overflow by processing certain FIG images
Status: CLOSED WONTFIX
Alias: CVE-2010-4262
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20101128,reported=20101202,sou...
Keywords: Security
: 657981 (view as bug list)
Depends On: 657981
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-03 12:41 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:41 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-03-31 10:11:24 UTC


Attachments (Terms of Use)
Local copy of the public PoC from [2] (1.02 KB, text/plain)
2010-12-03 12:44 UTC, Jan Lieskovsky
no flags Details
Patch fixing this. (617 bytes, patch)
2010-12-03 18:56 UTC, Hans de Goede
no flags Details | Diff

Description Jan Lieskovsky 2010-12-03 12:41:10 UTC
A stack-based buffer overflow flaw was found in
the way Xfig processed certain FIG images. A remote
attacker could create a FIG image with specially-crafted
color definition, and trick the local, unsuspecting
user into opening it, which could lead to xfig executable
crash or, potentially, arbitrary code execution with
the privileges of the user running the executable.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=657981

Public PoC:
[2] https://bugzilla.redhat.com/attachment.cgi?id=463393

Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.

Comment 1 Jan Lieskovsky 2010-12-03 12:42:51 UTC
This issue affects the versions of the xfig package, as shipped with
Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the versions of the xfig package, as shipped with
Fedora release of 13 and 14.

Please schedule an update.

Comment 2 Jan Lieskovsky 2010-12-03 12:44:34 UTC
Created attachment 464564 [details]
Local copy of the public PoC from [2]

Comment 4 Jan Lieskovsky 2010-12-03 13:10:50 UTC
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2010/12/03/2

Comment 5 Jan Lieskovsky 2010-12-03 13:12:36 UTC
Statement:

(none)

Comment 6 Hans de Goede 2010-12-03 18:56:46 UTC
Created attachment 464628 [details]
Patch fixing this.

Hi All,

Here is a patch which was send to me by the suse xfig maintainer "Dr. Werner Fink" <werner@suse.de> with whom I've worked together on various other xfig bugs.

I've reviewed and tested this and I can confirm it fixes the bug. I'm going to prepare a Fedora xfig update for this, with this patch.

Regards,

Hans

Comment 7 Vincent Danen 2010-12-07 23:14:06 UTC
This has been assigned CVE-2010-4262.

Comment 8 Jan Lieskovsky 2011-03-01 17:06:49 UTC
*** Bug 657981 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.