Bug 1190607 (CVE-2020-21535)

Summary: VUL-0: CVE-2020-21535: transfig: segmentation fault in the gencgm_start function in gencgm.c.
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, meissner, rfrohl, smash_bz, werner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/310320/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-21535:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1190611, 1190612, 1190615    
Bug Blocks:    

Description Gianluca Gabrielli 2021-09-17 13:26:34 UTC
fig2dev 3.2.7b contains a segmentation fault in the gencgm_start function in
gencgm.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21535
https://sourceforge.net/p/mcj/tickets/62/
Comment 1 Gianluca Gabrielli 2021-09-17 13:27:32 UTC
Affected packages:
 - SUSE:SLE-11:Update/transfig             3.2.5
 - openSUSE:Backports:SLE-15-SP2/transfig  3.2.6a
 - openSUSE:Backports:SLE-15-SP3/transfig  3.2.6a

Upstream patch [0].

[0] https://sourceforge.net/p/mcj/fig2dev/ci/41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/
Comment 2 Dr. Werner Fink 2021-09-17 13:37:08 UTC
Meanwhile we are on transfig-3.2.8a
Comment 3 Gianluca Gabrielli 2021-09-17 15:01:25 UTC
(In reply to Dr. Werner Fink from comment #2)
> Meanwhile we are on transfig-3.2.8a

Yes, but not for the three codestream I mentioned above. These requires the patch to be backported.
Comment 4 Dr. Werner Fink 2021-09-20 06:14:13 UTC
(In reply to Gianluca Gabrielli from comment #3)
> (In reply to Dr. Werner Fink from comment #2)
> > Meanwhile we are on transfig-3.2.8a
> 
> Yes, but not for the three codestream I mentioned above. These requires the
> patch to be backported.

AFAIK on SLE-15 we are on transfig-3.2.8a and on SLE-11 the QA team is working on transfig-3.2.8a ... and it makes no sence to port patches/commits back which do not fit into the old colde stream
Comment 5 Gianluca Gabrielli 2021-09-20 06:52:34 UTC
(In reply to Dr. Werner Fink from comment #4)
> (In reply to Gianluca Gabrielli from comment #3)
> > (In reply to Dr. Werner Fink from comment #2)
> > > Meanwhile we are on transfig-3.2.8a
> > 
> > Yes, but not for the three codestream I mentioned above. These requires the
> > patch to be backported.
> 
> AFAIK on SLE-15 we are on transfig-3.2.8a and on SLE-11 the QA team is
> working on transfig-3.2.8a ... and it makes no sence to port patches/commits
> back which do not fit into the old colde stream

According to that I have two questions, the first one is for you: is there any ECO request where the version bump of SLE11 has been discussed/approved? If yes, can you please share the ticket number?
The second one is for @Marcus: since SLE-15 has an updated version than LEAP-15.2 and LEAP-15.3, can we import to these last two the same package in SLE-15?
Comment 6 Marcus Meissner 2021-09-20 07:34:57 UTC
i talked with Robert and from my point of view I would skip the ECO as the functionality of transfig is not changing.

So I approved the version update. It just took soo long to QA you still see it :( 

I can still do an ECO.

Leap 15.2 imports from SUSE:SLE-15:Update updates directly.

I marked backports-15-sp2 to import from leap 15.2 again (was not correct set up).

I will sync backports-15-sp3 manually
Comment 7 Dr. Werner Fink 2021-09-28 11:50:39 UTC
(In reply to Gianluca Gabrielli from comment #1)
> Affected packages:
>  - SUSE:SLE-11:Update/transfig             3.2.5
>  - openSUSE:Backports:SLE-15-SP2/transfig  3.2.6a
>  - openSUSE:Backports:SLE-15-SP3/transfig  3.2.6a

Now I've a report that QA has finished and released for the backports of SLE-15, compare with e.g. bug bnc#1186329 ... but the osc tool still reports

```
xfig/transfig> osc ls openSUSE:Backports:SLE-15-SP3/transfig
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6-genps_oldpatterns.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.6a-input-sanitizing.patch
fig2dev-3.2.6a-man-typo.patch
fig2dev-3.2.6a-style-overflow.patch
fig2dev-3.2.6a.tar.xz
transfig-03ea4578.patch
transfig-3.2.6.dif
transfig-e0c4b024.patch
transfig-fix-afl.patch
transfig-fix-of-e0c4b024.patch
transfig.3.2.5-binderman.dif
transfig.3.2.5d-mediaboxrealnb.dif
transfig.changes
transfig.spec
```

what can I do that e.g. transfig-3.2.8a-bp152.3.3.2 does reach openSUSE:Backports:SLE-15-SP2/transfig and why we have openSUSE:Backports:SLE-15-SP3/transfig
Comment 8 Marcus Meissner 2021-09-28 11:56:26 UTC
use openSUSE:Backports:SLE-15-SP2:Update 
and openSUSE:Backports:SLE-15-SP3:Update

the 15-sp2 is released, 15-sp3 is wiating for openqa.
Comment 9 Dr. Werner Fink 2021-10-07 08:31:14 UTC
Now QA seems to be done (see below) can we now check if this bug is still valid? 

/suse/werner> osc ls openSUSE:Backports:SLE-15-SP3:Update transfig
_link
# -> openSUSE:Backports:SLE-15-SP3:Update transfig.16970 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
/suse/werner> osc ls openSUSE:Backports:SLE-15-SP2:Update transfig
_link
# -> openSUSE:Backports:SLE-15-SP2:Update transfig.16971 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
/suse/werner> isc ls SUSE:SLE-11:Update transfig
_link
# -> SUSE:SLE-11:Update transfig.20308 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
Comment 10 Gianluca Gabrielli 2021-10-21 12:21:22 UTC
I don't see this CVE/BZ ID mentioned in the changes files, was that an overlook?
Comment 11 Dr. Werner Fink 2021-10-21 13:59:28 UTC
(In reply to Gianluca Gabrielli from comment #10)
> I don't see this CVE/BZ ID mentioned in the changes files, was that an
> overlook?

ON SLE-11, SLE-12, and SLE-15 we are talking about 3.2.8a and IMHO with the submnissions this bug was fixed before it was done ... the only problem was that the submnissions had stucked within the QA channels meanwhile
Comment 12 Gianluca Gabrielli 2021-10-26 07:12:20 UTC
The fix has been shipped with the version bump to all three codestreams. We are only missing the mention of this CVE / BZ ID in related changes files.
Can you please submit a request with the correct changes file? Thank you.
Comment 13 OBSbugzilla Bot 2021-10-26 14:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1190607) was mentioned in
https://build.opensuse.org/request/show/927524 Factory / transfig
Comment 16 Swamp Workflow Management 2021-10-29 19:23:05 UTC
SUSE-SU-2021:3584-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    transfig-3.2.8b-4.15.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    transfig-3.2.8b-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-10-29 19:25:16 UTC
openSUSE-SU-2021:3584-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    transfig-3.2.8b-4.15.1
Comment 18 Swamp Workflow Management 2021-10-29 19:32:11 UTC
SUSE-SU-2021:3585-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2021-32280
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud Crowbar 8 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud 9 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud 8 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    transfig-3.2.8b-2.20.1
HPE Helion Openstack 8 (src):    transfig-3.2.8b-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-11-02 14:20:48 UTC
SUSE-SU-2021:14836-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2021-32280
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    transfig-3.2.8b-160.16.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-11-02 17:21:56 UTC
openSUSE-SU-2021:1439-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    transfig-3.2.8b-lp152.6.9.1
Comment 21 Swamp Workflow Management 2021-11-07 23:16:39 UTC
openSUSE-SU-2021:1458-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    transfig-3.2.8b-bp152.3.6.2
Comment 22 Swamp Workflow Management 2021-11-18 14:19:58 UTC
openSUSE-SU-2021:1481-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    transfig-3.2.8b-bp153.3.6.3