Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security
null dereference running fig2dev with "-L pdf poc" option
Running 'fig2dev -L pdf poc' with the attached file raises null dereference
which may allow a remote attacker to cause denial-of-service attack
I expected the program to terminate without segfault, but the program crashes
as follow
june@june:~/temp/report/fig2dev/null$
../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
incomplete spline object
ASAN:DEADLYSIGNAL
=
==16804==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc
0x5557911b bp 0x6080bf20 sp 0x7fffd8d0 T0)
#0 0x5557911a in free_splinestorage
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122
#1 0x5557ad0d in read_splineobject
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:430
#2 0x5557bef7 in read_1_3_objects
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:102
#3 0x55581ad4 in readfp_fig
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:187
#4 0x5556eb70 in main
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
#5 0x763762b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x5556f259 in _start
(/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122 in
free_splinestorage
==16804==ABORTING
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fig2dev depends on:
ii gawk 1:4.1.4+dfsg-1
ii libc62.24-11+deb9u1
ii libpng16-16 1.6.28-1
ii libxpm4 1:3.5.12-1
ii x11-common 1:7.7+19
Versions of packages fig2dev recommends:
ii ghostscript 9.20~dfsg-3.2+deb9u1
ii netpbm 2:10.0-15.3+b2
Versions of packages fig2dev suggests:
pn xfig
-- no debconf information
71
0
1
16 3
16 6
0
16 6
0
1
1 6
1=6