Debian Bug report logs - #559274
xfig: buffer overflow in read .fig file

version graph

Package: xfig; Maintainer for xfig is Roland Rosenfeld <>; Source for xfig is src:xfig.

Reported by: pedamachephepto liones <>

Date: Thu, 3 Dec 2009 09:21:01 UTC

Severity: grave

Tags: security

Found in version xfig/1:3.2.5-rel-3

Fixed in version xfig/1:3.2.5.b-1

Done: Roland Rosenfeld <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Roland Rosenfeld <>:
Bug#559274; Package xfig. (Thu, 03 Dec 2009 09:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to pedamachephepto liones <>:
New Bug report received and forwarded. Copy sent to Roland Rosenfeld <>. (Thu, 03 Dec 2009 09:21:05 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: pedamachephepto liones <>
Subject: xfig: buffer overflow in read .fig file
Date: Thu, 3 Dec 2009 10:16:51 +0100
[Message part 1 (text/plain, inline)]
Subject: xfig: buffer overflow in read .fig file
Package: xfig
Version: 1:3.2.5-rel-3
Severity: grave
Justification: user security hole
Tags: security

xfig and fig2dev in transfig package will buffer overflow when read
.fig file. see poc file including. compile gfortran.


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xfig depends on:
ii  libc6                    2.7-18          GNU C Library: Shared libraries
ii  libjpeg62                6b-14           The Independent JPEG Group's JPEG
ii  libpng12-0               1.2.27-2+lenny2 PNG library - runtime
ii  libx11-6                 2:1.1.5-2       X11 client-side library
ii  libxi6                   2:1.1.4-1       X11 Input extension library
ii  libxpm4                  1:3.5.7-1       X11 pixmap library
ii  libxt6                   1:1.0.5-3       X11 toolkit intrinsics library
ii  xaw3dg                   1.5+E-17        Xaw3d widget set

Versions of packages xfig recommends:
ii  transfig                 1:3.2.5-rel-3.1 Utilities for converting XFig figu
ii  xfig-libs                1:3.2.5-rel-3   XFig image libraries and examples

-- no debconf information
[xfig_poc.f (text/x-fortran, attachment)]

Information forwarded to, Roland Rosenfeld <>:
Bug#559274; Package xfig. (Fri, 04 Dec 2009 12:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hans de Goede <>:
Extra info received and forwarded to list. Copy sent to Roland Rosenfeld <>. (Fri, 04 Dec 2009 12:03:08 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Hans de Goede <>
Subject: xfig: buffer overflow in read .fig file
Date: Fri, 04 Dec 2009 12:38:56 +0100
Hi all,

I'm the Fedora package maintainer of xfig,
I've created a patch for xfig-3.2.5b, which fixes this overflow. Note that
after this xfig will still crash on plane.fig, going into a recursive function
call loop inside u_bound.c, till it exceeds its maximum stack size.

This may caused be caused by the use of an uninitialzed variable
resolution (for 1.3 files) inside f_read.c:readfp_fig() when calling

Given that this other bug has lingered for quite a long while, I'm wondering
if 1.3 format support is still functional at all, and if it would not be
better to simply disable it ?

Can anyone provide me with some valid 1.3 format files to see how much work it
will be to fix 1.3 format support ?


For discussion and:

For the patch.



Reply sent to Roland Rosenfeld <>:
You have taken responsibility. (Sun, 06 Dec 2009 12:57:25 GMT) Full text and rfc822 format available.

Notification sent to pedamachephepto liones <>:
Bug acknowledged by developer. (Sun, 06 Dec 2009 12:57:25 GMT) Full text and rfc822 format available.

Message #15 received at (full text, mbox):

From: Roland Rosenfeld <>
Subject: Bug#559274: fixed in xfig 1:3.2.5.b-1
Date: Sun, 06 Dec 2009 12:56:34 +0000
Source: xfig
Source-Version: 1:3.2.5.b-1

We believe that the bug you reported is fixed in the latest version of
xfig, which is due to be installed in the Debian FTP archive:

  to main/x/xfig/xfig-doc_3.2.5.b-1_all.deb
  to main/x/xfig/xfig-libs_3.2.5.b-1_all.deb
  to main/x/xfig/xfig_3.2.5.b-1.diff.gz
  to main/x/xfig/xfig_3.2.5.b-1.dsc
  to main/x/xfig/xfig_3.2.5.b-1_amd64.deb
  to main/x/xfig/xfig_3.2.5.b.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Roland Rosenfeld <> (supplier of updated xfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: RIPEMD160

Format: 1.8
Date: Sun, 06 Dec 2009 12:56:18 +0100
Source: xfig
Binary: xfig xfig-doc xfig-libs
Architecture: source all amd64
Version: 1:3.2.5.b-1
Distribution: unstable
Urgency: low
Maintainer: Roland Rosenfeld <>
Changed-By: Roland Rosenfeld <>
 xfig       - Facility for Interactive Generation of figures under X11
 xfig-doc   - XFig on-line documentation and examples
 xfig-libs  - XFig image libraries and examples
Closes: 530898 535181 556705 559274
 xfig (1:3.2.5.b-1) unstable; urgency=low
   * New upstream version 3.2.5b.
   * Remove patches that are incorporated upstream: 25_mkstemp,
     26_missingprotos, 27_zoom-crash, 28_text-size-input, 29_print_segfault.
   * 30_figparserstack: Fix Stack-based buffer overflow by loading
     malformed .FIG files
     ( (Closes: #559274).
   * Upgrade to Standards-Version 3.8.3 (no changes).
   * Added debian/README.source (from dpatch package) to explain how dpatch
   * Remove path from update-xaw-wrappers script in preinst.
   * 31_spelling: Fix spelling errors in binary.
   * 13_remove_extra_libs: s/XTOOLONLYLIIB/XTOOLONLYLIB/, so Xt is linked
     into the binary to make binutils-gold happy (Closes: #556705).
   * 32_papersize_b1: xfig -papersize b1 now really uses B1 instead of B10
     (Closes: #535181).
   * 33_pdfimport_mediabox: Fix reading "/MediaBox" when importing PDF.
     Thanks t for providing a patch (Closes: #530898).
   * 34_old_shadows: Restore old shadow behavior. Reduce shadow width to 1
     pixel and fix a green scrollbar shadow.
 7be9e9bac3882beab1abb002bb5cd2302c76c48d 1157 xfig_3.2.5.b-1.dsc
 e0e3c9a9df6fac8f1536c2209025577edb1d1d9e 5770796 xfig_3.2.5.b.orig.tar.gz
 d474180fbeb6955e79bfc67520ad775a87b68d80 46856 xfig_3.2.5.b-1.diff.gz
 ddcba53dffd08e5d37492fbf99fe93392943c7b0 3363512 xfig-doc_3.2.5.b-1_all.deb
 7773821c1a925978306d6c75ff5c579b018a2ac6 1677778 xfig-libs_3.2.5.b-1_all.deb
 b26c18cfb2ee2dc071b0e3bed6205c1fc0655022 739228 xfig_3.2.5.b-1_amd64.deb
 e9af271607a1c360015dfd05cf3190fdd5c43c325fae6da47ba381e84d5148ff 1157 xfig_3.2.5.b-1.dsc
 ab13d0f37b6f126c16df2026c61970bc9902b9b1c9f410e47beeb0caa95b1b4c 5770796 xfig_3.2.5.b.orig.tar.gz
 7d59444e3cbd464f580ed2c3c19c02ab07579a434323a875b5e61817aa9d9379 46856 xfig_3.2.5.b-1.diff.gz
 a3e4c685422fcb86213edcc902a2499ec1ca32db3c9ff130ffad70e40d0e6a9f 3363512 xfig-doc_3.2.5.b-1_all.deb
 22727b249bc5d31e06b5ebda1c0be136f6bf5b75e5328b26031b0a7eec59e8ba 1677778 xfig-libs_3.2.5.b-1_all.deb
 ad25d867fbb3f50a9b892a5a08d24bbb8971db10a2c46402960776e76db4a69d 739228 xfig_3.2.5.b-1_amd64.deb
 e7bf421ba20d4101502268b9e280113a 1157 graphics optional xfig_3.2.5.b-1.dsc
 d466efd7a293df39262a6ee0083f3197 5770796 graphics optional xfig_3.2.5.b.orig.tar.gz
 724c61b921e376a4c47218256f63b641 46856 graphics optional xfig_3.2.5.b-1.diff.gz
 b114f5d3b164a89881a8741748eee4e9 3363512 doc optional xfig-doc_3.2.5.b-1_all.deb
 ef66b652d198fc9132c7c874dd30ee81 1677778 graphics optional xfig-libs_3.2.5.b-1_all.deb
 22a9f1d69a890cc8149c3d3d6c888775 739228 graphics optional xfig_3.2.5.b-1_amd64.deb

Version: GnuPG v1.4.9 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Mon, 07 Mar 2011 09:50:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Thu Apr 24 21:52:38 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.