1992793 – (CVE-2020-21684) CVE-2020-21684 transfig: A global buffer overflow in the put_font in genpict2e.c could result in a denial of service

Bug 1992793 (CVE-2020-21684) - CVE-2020-21684 transfig: A global buffer overflow in the put_font in genpict2e.c could result in a denial of service

Summary: CVE-2020-21684 transfig: A global buffer overflow in the put_font in genpict2...

Keywords:
Status:	NEW
Alias:	CVE-2020-21684
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2000745 2000747
Blocks:	1992794
TreeView+	depends on / blocked

Reported:	2021-08-11 18:18 UTC by Michael Kaplan
Modified:	2022-05-17 09:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Michael Kaplan 2021-08-11 18:18:45 UTC

A global buffer overflow in the put_font in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format.

Reference:

https://sourceforge.net/p/mcj/tickets/75/

Comment 1 Garrett Tucker 2021-09-02 19:27:21 UTC

Due to the inability for the exploit to cause arbitrary code execution or to read arbitrary memory, this does not impact confidentiality or integrity. The outcome of this exploit is only a DoS affecting availability of the program by causing a total crash and inability for the program to recover. As such the CVSS score should be rescored to AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H to accurately reflect the impact of this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.