Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21675: Xfig / Tickets / #78 stack-buffer-overflow in genptk_text at genptk.c:618

A stack-based buffer overflow in the genptk_text component in genptk.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ptk format.

CVE
#dos#git#c++#buffer_overflow
  • Summary
  • Files
  • Reviews
  • Support
  • Tickets
  • Discussion
  • Git ▾
    • fig2dev
    • xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,
I found a stack-buffer-overflow in genptk_text at genptk.c:618

fig2dev Version 3.2.7b
commit 93795dd396730c80e63767dede7777f4cb7dc383

Please run following command to reproduce it,

ASAN LOG

==45827==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff76457e80 at pc 0x000000841291 bp 0x7fff76457650 sp 0x7fff76457648 WRITE of size 1 at 0x7fff76457e80 thread T0 #0 0x841290 in genptk_text /home/tmp/mcj-fig2dev/fig2dev/dev/genptk.c:618:13 #1 0x54ba7b in gendev_objects /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:1012:6 #2 0x54ba7b in main /home/tmp/mcj-fig2dev/fig2dev/fig2dev.c:489 #3 0x7f8360406b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #4 0x41b429 in _start (/home/tmp/fig2dev+0x41b429)

Address 0x7fff76457e80 is located in stack of thread T0 at offset 2080 in frame #0 0x83e5ef in genptk_text /home/tmp/mcj-fig2dev/fig2dev/dev/genptk.c:520

This frame has 1 object(s): [32, 2080) ‘stfp’ (line 521) <== Memory access at offset 2080 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/tmp/mcj-fig2dev/fig2dev/dev/genptk.c:618:13 in genptk_text Shadow bytes around the buggy address: 0x10006ec82f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ec82f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ec82fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ec82fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ec82fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006ec82fd0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0x10006ec82fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ec82ff0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 0x10006ec83000: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x10006ec83010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ec83020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==45827==ABORTING

1 Attachments

Discussion

Log in to post a comment.

Related news

Ubuntu Security Notice USN-5864-1

Ubuntu Security Notice 5864-1 - Frederic Cambus discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that Fig2dev incorrectly handled certain image files. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907