This bug can be fixed backporting 41b9bb [0] as for bsc#1190607.

[0] https://sourceforge.net/p/mcj/fig2dev/ci/41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/

(In reply to Gianluca Gabrielli from comment #1)
> This bug can be fixed backporting 41b9bb [0] as for bsc#1190607.
> 
> [0]
> https://sourceforge.net/p/mcj/fig2dev/ci/
> 41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/

which is part of transfig-3.2.8a

(In reply to Dr. Werner Fink from comment #2)
> (In reply to Gianluca Gabrielli from comment #1)
> > This bug can be fixed backporting 41b9bb [0] as for bsc#1190607.
> > 
> > [0]
> > https://sourceforge.net/p/mcj/fig2dev/ci/
> > 41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/
> 
> which is part of transfig-3.2.8a

Sure thing, but we should avoid to perform version bump. We consider them as the last resort, and it need to go through a proper approval review.

Now QA seems to be done (see below) can we now check if this bug is still valid? 

/suse/werner> osc ls openSUSE:Backports:SLE-15-SP3:Update transfig
_link
# -> openSUSE:Backports:SLE-15-SP3:Update transfig.16970 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
/suse/werner> osc ls openSUSE:Backports:SLE-15-SP2:Update transfig
_link
# -> openSUSE:Backports:SLE-15-SP2:Update transfig.16971 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec
/suse/werner> isc ls SUSE:SLE-11:Update transfig
_link
# -> SUSE:SLE-11:Update transfig.20308 (latest)
6827c09d.patch
fig2dev-3.2.6-fig2mpdf-doc.patch
fig2dev-3.2.6-fig2mpdf.patch
fig2dev-3.2.6a-RGBFILE.patch
fig2dev-3.2.8a.tar.xz
transfig-3.2.8.dif
transfig-fix-afl.patch
transfig.changes
transfig.spec

It should be mentioned that I've an updated versoin of transfig with
fig2dev 3.2.8b

 Wed Oct  6 10:45:30 UTC 2021 - Dr. Werner Fink <werner@suse.de>
 - Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
   o Detect the output language from the output file name.
   o On the command line, a minus (-) as input or output file name refers
     to standard input or standard output.
   o Correct buffer overflows and segfaults, mainly due to maliciously
     crafted input files, tickets #113-117, #122, #123, #125-#135.
   o With -Lepic -P, generate a complete tex file.
   o Correctly produce a gif if a transparent color is given, ticket #121.
   o Return with error if no space is left on the device. Ticket #101.
 - Remove patch 6827c09d.patch now upstream
 - Add patch 1b09a8.patch from upstream (for ticket #137)
 - Port patch fig2dev-3.2.6-fig2mpdf.patch back

The patch with the fix for ticket #137 fixes a typo which makes import of eps files work correct.

Whereas the tickets #113-117, #122, #123, and #125-#135 could be also relevant for security but it seems there are no CVE tags yet

(In reply to Dr. Werner Fink from comment #4)
> Now QA seems to be done (see below) can we now check if this bug is still
> valid? 

I locally tested the poc and it seems the updated package (v.3.2.8b) is no longer vulnerable. I don't see this CVE mentioned in the changes file, was that an overlook?

(In reply to Gianluca Gabrielli from comment #6)
> (In reply to Dr. Werner Fink from comment #4)
> > Now QA seems to be done (see below) can we now check if this bug is still
> > valid? 
> 
> I locally tested the poc and it seems the updated package (v.3.2.8b) is no
> longer vulnerable. I don't see this CVE mentioned in the changes file, was
> that an overlook?

I was the UM and added them manually to the changes file, because they were not know during submission at first I think. But only to the problematic updates (SLE11 and SLE12 imo). I am also not sure if I found all of them.

So they would be missing in SLE15 because there the update went out without any major problems.

(In reply to Gianluca Gabrielli from comment #6)
> (In reply to Dr. Werner Fink from comment #4)
> > Now QA seems to be done (see below) can we now check if this bug is still
> > valid? 
> 
> I locally tested the poc and it seems the updated package (v.3.2.8b) is no
> longer vulnerable. I don't see this CVE mentioned in the changes file, was
> that an overlook?

ON SLE-11, SLE-12, and SLE-15 we are talking about 3.2.8a and IMHO with the submnissions this bug was fixed before it was done ... the only problem was that the submnissions had stucked within the QA channels meanwhile

The fix has been shipped with the version bump to all three codestreams. We are only missing the mention of this CVE / BZ ID in related changes files.
Can you please submit a request with the correct changes file? Thank you.

This is an autogenerated message for OBS integration:
This bug (1190611) was mentioned in
https://build.opensuse.org/request/show/927524 Factory / transfig

SUSE-SU-2021:3584-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    transfig-3.2.8b-4.15.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    transfig-3.2.8b-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:3584-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    transfig-3.2.8b-4.15.1

SUSE-SU-2021:3585-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2021-32280
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud Crowbar 8 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud 9 (src):    transfig-3.2.8b-2.20.1
SUSE OpenStack Cloud 8 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    transfig-3.2.8b-2.20.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    transfig-3.2.8b-2.20.1
HPE Helion Openstack 8 (src):    transfig-3.2.8b-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:14836-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2021-32280
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    transfig-3.2.8b-160.16.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    transfig-3.2.8b-160.16.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:1439-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    transfig-3.2.8b-lp152.6.9.1

openSUSE-SU-2021:1458-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    transfig-3.2.8b-bp152.3.6.2

openSUSE-SU-2021:1481-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019
CVE References: CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    transfig-3.2.8b-bp153.3.6.3