Bug 1190611 (CVE-2020-21534)

Summary: VUL-1: CVE-2020-21534: transfig: global buffer overflow in the get_line function in read.c.
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: gianluca.gabrielli, rfrohl, smash_bz, werner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/310321/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-21534:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1190607    

Description Gianluca Gabrielli 2021-09-17 13:55:22 UTC
fig2dev 3.2.7b contains a global buffer overflow in the get_line function in
read.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21534
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21534
https://sourceforge.net/p/mcj/tickets/58/
Comment 1 Gianluca Gabrielli 2021-09-17 13:57:08 UTC
This bug can be fixed backporting 41b9bb [0] as for bsc#1190607.

[0] https://sourceforge.net/p/mcj/fig2dev/ci/41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/
Comment 2 Dr. Werner Fink 2021-09-17 14:01:48 UTC
(In reply to Gianluca Gabrielli from comment #1)
> This bug can be fixed backporting 41b9bb [0] as for bsc#1190607.
> 
> [0]
> https://sourceforge.net/p/mcj/fig2dev/ci/
> 41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/

which is part of transfig-3.2.8a
Comment 3 Gianluca Gabrielli 2021-09-17 14:58:09 UTC
(In reply to Dr. Werner Fink from comment #2)
> (In reply to Gianluca Gabrielli from comment #1)
> > This bug can be fixed backporting 41b9bb [0] as for bsc#1190607.
> > 
> > [0]
> > https://sourceforge.net/p/mcj/fig2dev/ci/
> > 41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/
> 
> which is part of transfig-3.2.8a

Sure thing, but we should avoid to perform version bump. We consider them as the last resort, and it need to go through a proper approval review.
Comment 4 Dr. Werner Fink 2021-10-07 08:35:16 UTC
Now QA seems to be done (see below) can we now check if this bug is still valid? 

/suse/werner> osc ls openSUSE:Backports:SLE-15-SP3:Update transfig
_link
# -> openSUSE:Backports:SLE-15-SP3:Update transfig.16970 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
/suse/werner> osc ls openSUSE:Backports:SLE-15-SP2:Update transfig
_link
# -> openSUSE:Backports:SLE-15-SP2:Update transfig.16971 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
/suse/werner> isc ls SUSE:SLE-11:Update transfig
_link
# -> SUSE:SLE-11:Update transfig.20308 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
Comment 5 Dr. Werner Fink 2021-10-07 08:40:35 UTC
It should be mentioned that I've an updated versoin of transfig with
fig2dev 3.2.8b

 Wed Oct  6 10:45:30 UTC 2021 - Dr. Werner Fink <werner@suse.de>
 - Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
   o Detect the output language from the output file name.
   o On the command line, a minus (-) as input or output file name refers
     to standard input or standard output.
   o Correct buffer overflows and segfaults, mainly due to maliciously
     crafted input files, tickets #113-117, #122, #123, #125-#135.
   o With -Lepic -P, generate a complete tex file.
   o Correctly produce a gif if a transparent color is given, ticket #121.
   o Return with error if no space is left on the device. Ticket #101.
 - Remove patch 6827c09d.patch now upstream
 - Add patch 1b09a8.patch from upstream (for ticket #137)
 - Port patch fig2dev-3.2.6-fig2mpdf.patch back

The patch with the fix for ticket #137 fixes a typo which makes import of eps files work correct.

Whereas the tickets #113-117, #122, #123, and #125-#135 could be also relevant for security but it seems there are no CVE tags yet
Comment 6 Gianluca Gabrielli 2021-10-21 09:59:22 UTC
(In reply to Dr. Werner Fink from comment #4)
> Now QA seems to be done (see below) can we now check if this bug is still
> valid? 

I locally tested the poc and it seems the updated package (v.3.2.8b) is no longer vulnerable. I don't see this CVE mentioned in the changes file, was that an overlook?
Comment 7 Robert Frohl 2021-10-21 10:43:30 UTC
(In reply to Gianluca Gabrielli from comment #6)
> (In reply to Dr. Werner Fink from comment #4)
> > Now QA seems to be done (see below) can we now check if this bug is still
> > valid? 
> 
> I locally tested the poc and it seems the updated package (v.3.2.8b) is no
> longer vulnerable. I don't see this CVE mentioned in the changes file, was
> that an overlook?

I was the UM and added them manually to the changes file, because they were not know during submission at first I think. But only to the problematic updates (SLE11 and SLE12 imo). I am also not sure if I found all of them.

So they would be missing in SLE15 because there the update went out without any major problems.
Comment 8 Dr. Werner Fink 2021-10-21 13:59:35 UTC
(In reply to Gianluca Gabrielli from comment #6)
> (In reply to Dr. Werner Fink from comment #4)
> > Now QA seems to be done (see below) can we now check if this bug is still
> > valid? 
> 
> I locally tested the poc and it seems the updated package (v.3.2.8b) is no
> longer vulnerable. I don't see this CVE mentioned in the changes file, was
> that an overlook?

ON SLE-11, SLE-12, and SLE-15 we are talking about 3.2.8a and IMHO with the submnissions this bug was fixed before it was done ... the only problem was that the submnissions had stucked within the QA channels meanwhile
Comment 9 Gianluca Gabrielli 2021-10-26 07:10:16 UTC
The fix has been shipped with the version bump to all three codestreams. We are only missing the mention of this CVE / BZ ID in related changes files.
Can you please submit a request with the correct changes file? Thank you.
Comment 10 OBSbugzilla Bot 2021-10-26 14:40:13 UTC
This is an autogenerated message for OBS integration:
This bug (1190611) was mentioned in
https://build.opensuse.org/request/show/927524 Factory / transfig
Comment 13 Swamp Workflow Management 2021-10-29 19:23:10 UTC
SUSE-SU-2021:3584-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    transfig-3.2.8b-4.15.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    transfig-3.2.8b-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-10-29 19:25:22 UTC
openSUSE-SU-2021:3584-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    transfig-3.2.8b-4.15.1
Comment 15 Swamp Workflow Management 2021-10-29 19:32:17 UTC
SUSE-SU-2021:3585-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2021-32280
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud Crowbar 8 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud 9 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud 8 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    transfig-3.2.8b-2.20.1
HPE Helion Openstack 8 (src):    transfig-3.2.8b-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-11-02 14:20:56 UTC
SUSE-SU-2021:14836-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2021-32280
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    transfig-3.2.8b-160.16.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-11-02 17:22:04 UTC
openSUSE-SU-2021:1439-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    transfig-3.2.8b-lp152.6.9.1
Comment 18 Swamp Workflow Management 2021-11-07 23:16:46 UTC
openSUSE-SU-2021:1458-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    transfig-3.2.8b-bp152.3.6.2
Comment 19 Swamp Workflow Management 2021-11-18 14:20:07 UTC
openSUSE-SU-2021:1481-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    transfig-3.2.8b-bp153.3.6.3