Bug 543905 (CVE-2009-4227, CVE-2009-4228) - CVE-2009-4227 CVE-2009-4228 Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files
Summary: CVE-2009-4227 CVE-2009-4228 Xfig, Transfig: Stack-based buffer overflow by lo...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2009-4227, CVE-2009-4228
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Depends On: 845605 845606
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-03 13:25 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-31 10:03:30 UTC
Embargoed:


Attachments (Terms of Use)
Local copy of Fortran Xfig PoC from PEDAMACHEPHEPTOLIONES, D.B. COOPER (1.07 KB, text/plain)
2009-12-03 13:41 UTC, Jan Lieskovsky
no flags Details
PATCH: fixing this for xfig (1.56 KB, patch)
2009-12-04 11:29 UTC, Hans de Goede
no flags Details | Diff

Description Jan Lieskovsky 2009-12-03 13:25:30 UTC
PEDAMACHEPHEPTOLIONES and D.B. COOPER found a stack-based buffer
overflow, present in Xfig, Transfig by loading malformed .FIG files.
A remote attacker could provide a specially-crafted .FIG text
object file, which once opened by a local, unsuspecting user would
lead to denial of service (Xfig, fig2dev crash).

References:
-----------
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274

Fortran PoC by PEDAMACHEPHEPTOLIONES:
-------------------------------------
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=xfig_poc.f;att=1;bug=559274

CVE was requested here:
-----------------------
http://www.openwall.com/lists/oss-security/2009/12/03/2

Comment 1 Jan Lieskovsky 2009-12-03 13:41:33 UTC
Created attachment 375778 [details]
Local copy of Fortran Xfig PoC from PEDAMACHEPHEPTOLIONES, D.B. COOPER

Comment 3 Jan Lieskovsky 2009-12-03 13:52:12 UTC
This issue do NOT affect the versions of the xfig and transfig packages,
as shipped with Red Hat Enterprise Linux 3.

This issue affects the versions of the xfig and transfig packages,
as shipped with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the xfig and transfig packages,
as shipped with Fedora release of 10, 11, 12 and Fedora Rawhide.

Comment 5 Hans de Goede 2009-12-04 11:29:17 UTC
Created attachment 376059 [details]
PATCH: fixing this for xfig

Here is a proposed patch for xfig-3.2.5b, which fixes this overflow. Note that
after this xfig will still crash on plane.fig, going into a recursive function call loop inside u_bound.c, till it exceeds its maximum stack size.

This may caused be caused by the use of an uninitialzed variable
resolution (for 1.3 files) inside f_read.c:readfp_fig() when calling
scale_figure().

Given that this other bug has lingered for quite a long while, I'm wondering
if 1.3 format support is still functional at all, and if it would not be
better to simply disable it ?

Can anyone provide me with some valid 1.3 format files to see how much work it will be to fix 1.3 format support ?

Comment 6 Jan Lieskovsky 2009-12-08 18:03:09 UTC
The CVE identifiers of CVE-2009-4227 and CVE-2009-4228 has been assigned
for Xfig by MITRE:

---------------------------------------------------------------------------

a, CVE-2009-4227 

Stack-based buffer overflow in the read_1_3_textobject function in
f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject
function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier,
allows remote attackers to execute arbitrary code via a long string in
a malformed .fig file that uses the 1.3 file format.  NOTE: some of
these details are obtained from third party information.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4227 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274 
http://www.securityfocus.com/bid/37193 
http://secunia.com/advisories/37571 
http://secunia.com/advisories/37577 
http://xforce.iss.net/xforce/xfdb/54525 

---------------------------------------------------------------------------

b, CVE-2009-4228 

Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and
earlier allows remote attackers to cause a denial of service
(application crash) via a long string in a malformed .fig file that
uses the 1.3 file format, possibly related to the readfp_fig function
in f_read.c.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4228 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274

Comment 9 Vincent Danen 2009-12-11 22:38:43 UTC
This should not affect Fedora 11 or higher at all.  The stack protection bits are doing their job, as noted by:

% xfig plane.fig|head
zsh: correct 'xfig' to '_xfig' [nyae]? n
*** stack smashing detected ***: xfig-Xaw3d terminated
======= Backtrace: ========= 
/lib64/libc.so.6(__fortify_fail+0x37)[0x3b2d4f6ea7]
/lib64/libc.so.6(__fortify_fail+0x0)[0x3b2d4f6e70]
...

Likewise, the spec in Fedora uses:

make XFIGDOCDIR=%{_docdir}/%{name}-%{version} \
     CDEBUGFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -fno-strength-reduce -fno-strict-aliasing"

and:

% strings /usr/bin/xfig-Xaw3d|grep stack
__stack_chk_fail

By rights this should affect Fedora 10 since %optflags does not have -fstack-protector, but the results of running the proof of concept are the same (stack smashing detected), and strings should __stack_chk_fail is present so I'm not quite sure why this is aborted on Fedora 10.

Comment 10 Josh Bressers 2009-12-15 21:24:26 UTC
The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Comment 11 Stefan Cornelius 2012-08-03 14:49:28 UTC
Created transfig tracking bugs for this issue

Affects: fedora-all [bug 845605]

Comment 12 Stefan Cornelius 2012-08-03 14:49:38 UTC
Created xfig tracking bugs for this issue

Affects: fedora-all [bug 845606]

Comment 16 Hans de Goede 2012-08-13 11:46:52 UTC
(In reply to comment #12)
> Created xfig tracking bugs for this issue
> 
> Affects: fedora-all [bug 845606]

Fixed for Fedora-16 - Fedora-18 & rawhide, updates for Fedora-16 & Fedora-17 are here:
https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16
https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17

Comment 17 Vincent Danen 2012-08-13 21:58:31 UTC
(In reply to comment #16)
> (In reply to comment #12)
> > Created xfig tracking bugs for this issue
> > 
> > Affects: fedora-all [bug 845606]
> 
> Fixed for Fedora-16 - Fedora-18 & rawhide, updates for Fedora-16 & Fedora-17
> are here:
> https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16
> https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17

Should not bug #845606 reflect that then and be closed?

Comment 18 Hans de Goede 2012-08-14 08:07:38 UTC
(In reply to comment #17)
> > Fixed for Fedora-16 - Fedora-18 & rawhide, updates for Fedora-16 & Fedora-17
> > are here:
> > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16
> > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17
> 
> Should not bug #845606 reflect that then and be closed?

It will be automatically closed by bodhi once the update has been moved from updates-testing to the regular (stable)  updates repository.

Comment 19 Tomas Hoger 2012-08-14 09:26:04 UTC
(In reply to comment #18)
> > > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc16
> > > https://admin.fedoraproject.org/updates/xfig-3.2.5-32.b.fc17
> > 
> > Should not bug #845606 reflect that then and be closed?
> 
> It will be automatically closed by bodhi once the update has been moved from
> updates-testing to the regular (stable)  updates repository.

Those two update request do not reference bug #845606, so it will not be auto-closed when updates are pushed to stable.  It will need to be added to the bug list to have it closed.

Comment 20 Hans de Goede 2012-08-14 10:41:03 UTC
(In reply to comment #19)
> > It will be automatically closed by bodhi once the update has been moved from
> > updates-testing to the regular (stable)  updates repository.
> 
> Those two update request do not reference bug #845606, so it will not be
> auto-closed when updates are pushed to stable.  It will need to be added to
> the bug list to have it closed.

Ah yes, my bad, fixed now.

Comment 21 Fedora Update System 2012-08-22 21:01:57 UTC
xfig-3.2.5-32.b.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2012-08-22 21:05:43 UTC
xfig-3.2.5-32.b.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-08-27 03:25:49 UTC
transfig-3.2.5d-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2012-08-27 03:29:03 UTC
transfig-3.2.5d-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Tomas Hoger 2016-03-31 10:03:30 UTC
Not planned to be fixed in future Red Hat Enterprise Linux updates.


Note You need to log in before you can comment on or make changes to this bug.