1786726 – (CVE-2019-19797) CVE-2019-19797 transfig: out-of-bounds write in read_colordef in read.c

Bug 1786726 (CVE-2019-19797) - CVE-2019-19797 transfig: out-of-bounds write in read_colordef in read.c

Summary: CVE-2019-19797 transfig: out-of-bounds write in read_colordef in read.c

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-19797
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1786727 1786728 1826923 1826924
Blocks:	1786731
TreeView+	depends on / blocked

Reported:	2019-12-27 14:29 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-10-25 22:14 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds write flaw was found in transfig in the way the `fig2dev` program handled the processing of Fig format files. Specifically, the flaw affects the translation process of Fig codes into the box graphics language. This flaw allows for potential exploitation by crashing the `fig2dev` program by tricking it into processing specially crafted Fig format files.
Clone Of:
Environment:
Last Closed:	2021-10-25 22:14:53 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-12-27 14:29:36 UTC

read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.

Reference:
https://sourceforge.net/p/mcj/tickets/67/

Comment 1 Guilherme de Almeida Suckevicz 2019-12-27 14:30:28 UTC

Created xfig tracking bugs for this issue:

Affects: epel-7 [bug 1786728]
Affects: fedora-all [bug 1786727]

Comment 2 Hans de Goede 2020-01-15 19:48:35 UTC

fig2dev is part of transfig, not xfig.

I've update the Fedora tracking bug accordingly, EPEL does not appear to have transfig, so I believe that the EPEL tracking bug can be closed, but I'm leaving that up to you.

I'm also leaving any necessary updates to this bug (Summary?) up to you.

Comment 3 Guilherme de Almeida Suckevicz 2020-01-16 15:05:30 UTC

Thank you for your information.

Comment 4 Mauro Matteo Cascella 2020-04-20 15:17:41 UTC

Upstream fix:
https://sourceforge.net/p/mcj/fig2dev/ci/41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/

Comment 8 Mauro Matteo Cascella 2020-04-22 13:46:51 UTC

Mitigation:

Avoid loading and processing Fig format files from untrusted external sources.

Comment 10 Mauro Matteo Cascella 2020-05-26 15:14:10 UTC

There is no fixed upstream version yet. This issue affects latest upstream version 3.2.7, new version with fixes (comment #4) has not been released yet.

Note You need to log in before you can comment on or make changes to this bug.