CVE-2009-4227
published 2009-12-08CVE-2009-4227: Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in…
PriorityP338medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
10.60%
95.2th percentile
Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xfig | < xfig 1:3.2.5.b-1 (bookworm) | xfig 1:3.2.5.b-1 (bookworm) |
| xfig | xfig | <= 3.2.5b | — |
| xfig | xfig | — | — |
| xfig | xfig | >= 0 < 1:3.2.5.b-1 | 1:3.2.5.b-1 |
| xfig | xfig | >= 0 < 1:3.2.5.b-1 | 1:3.2.5.b-1 |
| xfig | xfig | >= 0 < 1:3.2.5.b-1 | 1:3.2.5.b-1 |
| xfig | xfig | >= 0 < 1:3.2.5.b-1 | 1:3.2.5.b-1 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3pwv-p24f-xm44: Stack-based buffer overflow in the read_1_3_textobject function in f_readold
ghsa_unreviewed·2022-05-02
CVE-2009-4227 [MEDIUM] CWE-119 GHSA-3pwv-p24f-xm44: Stack-based buffer overflow in the read_1_3_textobject function in f_readold
Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.
OSV
CVE-2009-4227: Stack-based buffer overflow in the read_1_3_textobject function in f_readold
osv·2009-12-08·CVSS 6.8
CVE-2009-4227 [MEDIUM] CVE-2009-4227: Stack-based buffer overflow in the read_1_3_textobject function in f_readold
Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.
Red Hat
Transfig: Stack-based buffer overflow by loading malformed .FIG files
vendor_redhat·2009-12-03·CVSS 6.8
CVE-2009-4227 [MEDIUM] CWE-121 Transfig: Stack-based buffer overflow by loading malformed .FIG files
Transfig: Stack-based buffer overflow by loading malformed .FIG files
Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.
Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4227
The Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found her
Debian
CVE-2009-4227: xfig - Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c i...
vendor_debian·2009·CVSS 6.8
CVE-2009-4227 [MEDIUM] CVE-2009-4227: xfig - Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c i...
Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.
Scope: local
bookworm: resolved (fixed in 1:3.2.5.b-1)
bullseye: resolved (fixed in 1:3.2.5.b-1)
forky: resolved (fixed in 1:3.2.5.b-1)
sid: resolved (fixed in 1:3.2.5.b-1)
trixie: resolved (fixed in 1:3.2.5.b-1)
No detection rules found.
Bugzilla
CVE-2009-4227 CVE-2009-4228 Xfig: Stack-based buffer overflow by loading malformed .FIG files [fedora-all]
bugzilla·2012-08-03·CVSS 6.8
CVE-2009-4227 [MEDIUM] CVE-2009-4227 CVE-2009-4228 Xfig: Stack-based buffer overflow by loading malformed .FIG files [fedora-all]
CVE-2009-4227 CVE-2009-4228 Xfig: Stack-based buffer overflow by loading malformed .FIG files [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.
Bugzilla
CVE-2009-4227 CVE-2009-4228 Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files
bugzilla·2009-12-03·CVSS 6.8
CVE-2009-4227 [MEDIUM] CVE-2009-4227 CVE-2009-4228 Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files
CVE-2009-4227 CVE-2009-4228 Xfig, Transfig: Stack-based buffer overflow by loading malformed .FIG files
PEDAMACHEPHEPTOLIONES and D.B. COOPER found a stack-based buffer
overflow, present in Xfig, Transfig by loading malformed .FIG files.
A remote attacker could provide a specially-crafted .FIG text
object file, which once opened by a local, unsuspecting user would
lead to denial of service (Xfig, fig2dev crash).
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274
Fortran PoC by PEDAMACHEPHEPTOLIONES:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=xfig_poc.f;att=1;bug=559274
CVE was requested here:
http://www.openwall.com/lists/oss-security/2009/12/03/2
Discussion:
Created attachment 375778
Local copy of Fortran Xfig PoC from PEDAMACHEPHEPTOLIONES, D.B. CO
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274http://secunia.com/advisories/37571http://secunia.com/advisories/37577http://www.mandriva.com/security/advisories?name=MDVSA-2011:010http://www.openwall.com/lists/oss-security/2009/12/03/2http://www.securityfocus.com/bid/37193http://www.vupen.com/english/advisories/2011/0108https://bugzilla.redhat.com/show_bug.cgi?id=543905https://exchange.xforce.ibmcloud.com/vulnerabilities/54525http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559274http://secunia.com/advisories/37571http://secunia.com/advisories/37577http://www.mandriva.com/security/advisories?name=MDVSA-2011:010http://www.openwall.com/lists/oss-security/2009/12/03/2http://www.securityfocus.com/bid/37193http://www.vupen.com/english/advisories/2011/0108https://bugzilla.redhat.com/show_bug.cgi?id=543905https://exchange.xforce.ibmcloud.com/vulnerabilities/54525
2009-12-08
Published