Vulnerabilities > CVE-2019-14275 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
xfig-project
debian
opensuse
CWE-787
nessus

Summary

Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arrow function in bound.c.

Vulnerable Configurations

Part Description Count
Application
Xfig_Project
1
OS
Debian
1
OS
Opensuse
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DLA-2073.NASL
descriptionSeveral issues have been found in transfig, a XFig figure files converter. CVE-2018-16140 Buffer underwrite vulnerability in get_line() allows an attacker to write prior to the beginning of the buffer via a crafted .fig file. CVE-2019-14275 Stack-based buffer overflow in the calc_arrow function in bound.c. CVE-2019-19555 Stack-based buffer overflow because of an incorrect sscanf. For Debian 8
last seen2020-06-01
modified2020-06-02
plugin id133150
published2020-01-22
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133150
titleDebian DLA-2073-1 : transfig security update
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2073-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(133150);
  script_version("1.2");
  script_cvs_date("Date: 2020/01/24");

  script_cve_id("CVE-2018-16140", "CVE-2019-14275", "CVE-2019-19555");

  script_name(english:"Debian DLA-2073-1 : transfig security update");
  script_summary(english:"Checks dpkg output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several issues have been found in transfig, a XFig figure files
converter.

CVE-2018-16140

Buffer underwrite vulnerability in get_line() allows an attacker to
write prior to the beginning of the buffer via a crafted .fig file.

CVE-2019-14275

Stack-based buffer overflow in the calc_arrow function in bound.c.

CVE-2019-19555

Stack-based buffer overflow because of an incorrect sscanf.

For Debian 8 'Jessie', these problems have been fixed in version
1:3.2.5.e-4+deb8u2.

We recommend that you upgrade your transfig packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2020/01/msg00018.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/transfig"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected transfig package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:transfig");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"transfig", reference:"1:3.2.5.e-4+deb8u2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");