Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files (CVE-2009-4228)

  - Xfig: Stack-based buffer overflow by processing certain FIG images (CVE-2010-4262)

  - Xfig, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the (1)     xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err, (4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID],     (6) xfig[PID], (7) xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10) xfig-exp[PID], or     (11) xfig-spell.[PID] temporary files, where [PID] is a process ID. (CVE-2009-1962)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files (CVE-2009-4228)

  - Xfig: Stack-based buffer overflow by processing certain FIG images (CVE-2010-4262)

  - Xfig, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the (1)     xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err, (4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID],     (6) xfig[PID], (7) xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10) xfig-exp[PID], or     (11) xfig-spell.[PID] temporary files, where [PID] is a process ID. (CVE-2009-1962)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 4 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files (CVE-2009-4228)

  - Xfig: Stack-based buffer overflow by processing certain FIG images (CVE-2010-4262)

  - Xfig, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the (1)     xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err, (4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID],     (6) xfig[PID], (7) xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10) xfig-exp[PID], or     (11) xfig-spell.[PID] temporary files, where [PID] is a process ID. (CVE-2009-1962)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote host is affected by the vulnerability described in GLSA-201412-14 (Xfig: User-assisted execution of arbitrary code)

    A stack-based buffer overflow and a stack consumption vulnerability have       been found in Xfig.
  Impact :

    A remote attacker could entice a user to open a specially crafted file,       potentially resulting in arbitrary code execution or a Denial of Service       condition.
  Workaround :

    There is no known workaround at this time.

fix buffer overflow on loading a malformed .fig file (CVE-2009-4227)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fix a stack overflow when importing 1.3 files     (CVE-2009-4227)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been found and corrected in xfig :

Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third-party information (CVE-2009-4227).

Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and earlier allows remote attackers to cause a denial of service (application crash) via a long string in a malformed .fig file that uses the 1.3 file format, possibly related to the readfp_fig function in f_read.c (CVE-2009-4228).

Stack-based buffer overflow in Xfig 3.2.4 and 3.2.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a FIG image with a crafted color definition (CVE-2010-4262).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149 products_id=490

The updated packages have been patched to correct these issues.

ID	Name	Product	Family	Severity
199368	RHEL 6 : xfig (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
199364	RHEL 5 : xfig (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
199345	RHEL 4 : xfig (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
79967	GLSA-201412-14 : Xfig: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	medium
61667	Fedora 16 : transfig-3.2.5d-4.fc16 (2012-11737)	Nessus	Fedora Local Security Checks	medium
61666	Fedora 17 : transfig-3.2.5d-7.fc17 (2012-11718)	Nessus	Fedora Local Security Checks	medium
61630	Fedora 16 : xfig-3.2.5-32.b.fc16 (2012-11813)	Nessus	Fedora Local Security Checks	medium
61629	Fedora 17 : xfig-3.2.5-32.b.fc17 (2012-11801)	Nessus	Fedora Local Security Checks	medium
51802	Mandriva Linux Security Advisory : xfig (MDVSA-2011:010)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2009-4227

critical

Tenable Plugins

high

high

high

medium

medium

medium

medium

medium

medium