From e682d9201501e8290f9ae2b28f45d6e7efc5014e Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Jun 05 2019 11:32:23 +0000 Subject: fixed buffer underwrite in read.c:get_line() A buffer underwrite vulnerability in get_line() (read.c) in fig2dev allows an attacker to write prior to the beginning of the buffer via a crafted .fig file. --- diff --git a/fig2dev-3.2.6a-CVE-2018-16140.patch b/fig2dev-3.2.6a-CVE-2018-16140.patch new file mode 100644 index 0000000..28bf575 --- /dev/null +++ b/fig2dev-3.2.6a-CVE-2018-16140.patch @@ -0,0 +1,142 @@ +From c9db621bf4f5c9e230148478952de6950f57a283 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Wed, 5 Jun 2019 13:06:17 +0200 +Subject: [PATCH] fixed buffer underwrite in read.c:get_line() + +A buffer underwrite vulnerability in get_line() +(read.c) in fig2dev allows an attacker to write +prior to the beginning of the buffer via a +crafted .fig file. +--- + fig2dev/dev/readpcx.c | 2 -- + fig2dev/read.c | 54 ++++++++++++++++++++++++++++++------------- + 2 files changed, 38 insertions(+), 18 deletions(-) + +diff --git a/fig2dev/dev/readpcx.c b/fig2dev/dev/readpcx.c +index 32a266a..d669114 100644 +--- a/fig2dev/dev/readpcx.c ++++ b/fig2dev/dev/readpcx.c +@@ -88,8 +88,6 @@ _read_pcx(FILE *pcxfile, F_pic *pic) + fprintf(tfp, "%% Begin Imported PCX File: %s\n\n", pic->file); + pic->subtype = P_PCX; + +- pic->bitmap=NULL; +- + fread(&header,1,sizeof(struct pcxhed),pcxfile); + if (header.manuf!=10 || header.encod!=1) + return 0; +diff --git a/fig2dev/read.c b/fig2dev/read.c +index be9f62c..19c5dc8 100644 +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -199,12 +199,24 @@ read_objects(FILE *fp, F_compound *obj) + int object, coord_sys, len; + + memset((char*)obj, '\0', COMOBJ_SIZE); ++ + (void) fgets(buf, BUF_SIZE, fp); /* get the version line */ ++ if (strncmp(buf, "#FIG ", 5)) { ++ put_msg("Incorrect format string in first line of input file."); ++ return -1; ++ } ++ ++ /* remove newline and any carriage return (from a PC, perhaps) */ + len = strlen(buf); +- if (len > 0) +- buf[len-1] = '\0'; /* remove newline */ +- if (buf[len-2] == '\r') +- buf[len-2] = '\0'; /* and any CR (from a PC perhaps) */ ++ if (buf[len-1] == '\n') { ++ if (buf[len-2] == '\r') ++ buf[len-2] = '\0'; ++ else ++ buf[len-1] = '\0'; ++ } else { /* fgets() only stops at newline and end-of-file */ ++ put_msg("File is truncated at first line."); ++ return -1; ++ } + + /* v2_flag is for version 2 or higher */ + v2_flag = (!strncmp(buf, "#FIG 2", 6) || !strncmp(buf, "#FIG 3", 6)); +@@ -854,6 +866,8 @@ read_lineobject(FILE *fp) + l->next = NULL; + l->join_style = 0; + l->cap_style = 0; /* butt line cap */ ++ l->pic = NULL; ++ l->comments = NULL; + + sscanf(buf,"%*d%d",&l->type); /* get the line type */ + +@@ -920,12 +934,18 @@ read_lineobject(FILE *fp) + note_arrow(type, style); + } + if (l->type == T_PIC_BOX) { +- Pic_malloc(l->pic); +- l->pic->transp = -1; +- if (l->pic == NULL) { ++ if ((Pic_malloc(l->pic)) == NULL) { + free((char *)l); + return NULL; + } ++ l->pic->transp = -1; ++ l->pic->bitmap = NULL; ++#ifdef HAVE_X11_XPM_H ++ /* initialize l->pic->xpmimage by (ab)using a ++ public libxpm-function */ ++ XpmCreateXpmImageFromBuffer("", &l->pic->xpmimage, NULL); ++#endif ++ + if (get_line(fp) < 0 || sscanf(buf, "%d %[^\n]", + &l->pic->flipped, file) != 2) { + put_msg(Err_incomp, "Picture object", line_no); +@@ -947,8 +967,7 @@ read_lineobject(FILE *fp) + } else { + strcpy(l->pic->file, file); + } +- } else +- l->pic = NULL; ++ } + + if (NULL == (l->points = Point_malloc(p))) { + put_msg(Err_mem); +@@ -1029,6 +1048,7 @@ read_splineobject(FILE *fp) + s->fill_style = 0; + s->for_arrow = NULL; + s->back_arrow = NULL; ++ s->comments = NULL; + s->next = NULL; + + if (v30_flag) { +@@ -1200,6 +1220,7 @@ read_textobject(FILE *fp) + Text_malloc(t); + t->font = 0; + t->size = 0.0; ++ t->comments = NULL; + t->next = NULL; + + if (v30_flag) { /* order of parms is more like other objects now, +@@ -1397,13 +1418,14 @@ get_line(FILE *fp) + if (*buf == '#') { /* save any comments */ + if (save_comment() < 0) + return -1; +- } else if (*buf != '\n') { /* Skip empty lines */ +- len = strlen(buf); +- buf[len-1] = '\0'; /* strip trailing newline */ +- if (buf[len-2] == '\r') +- buf[len-2] = '\0'; /* strip any trailing CRs */ +- return 1; +- } ++ /* skip empty lines */ ++ } else if (*buf != '\n' || !(*buf == '\r' && buf[1] == '\n')) { ++ len = strlen(buf); ++ /* remove newline and possibly a carriage return */ ++ if (buf[len-1] == '\n') ++ buf[len - (buf[len-2] == '\r' ? 2 : 1)] = '\0'; ++ return 1; ++ } + } + } + +-- +2.17.1 + diff --git a/transfig.spec b/transfig.spec index 3efa824..456dc8f 100644 --- a/transfig.spec +++ b/transfig.spec @@ -1,12 +1,13 @@ Name: transfig Version: 3.2.6a -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 Summary: Utility for converting FIG files (made by xfig) to other formats License: MIT URL: https://sourceforge.net/projects/mcj/ Source0: http://downloads.sourceforge.net/mcj/fig2dev-%{version}.tar.xz -Patch1: fig2dev-3.2.6a-CVE-2017-16899.patch +Patch1: fig2dev-3.2.6a-CVE-2017-16899.patch +Patch2: fig2dev-3.2.6a-CVE-2018-16140.patch Requires: ghostscript Requires: bc @@ -49,6 +50,9 @@ make %{?_smp_mflags} %{_mandir}/man1/*.1.gz %changelog +* Wed Jun 05 2019 Ondrej Dubaj - 1:3.2.6a-7 +- Fixed buffer underwrite in read.c:get_line() (#1627975) + * Sun Feb 03 2019 Fedora Release Engineering - 1:3.2.6a-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild