CVE-2020-21681
Description
A global buffer overflow in fig2dev 3.2.7b set_color() allows denial of service via a crafted XFig file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A global buffer overflow in fig2dev 3.2.7b set_color() allows denial of service via a crafted XFig file.
Vulnerability
A global buffer overflow vulnerability exists in the set_color component in genge.c (line 437) of fig2dev version 3.2.7b. When converting a specially crafted XFig file into the GE format, the function attempts to read a color index beyond the bounds of the global color array, causing a read overflow. The issue is triggered during processing of arc objects in genge_arc [1].
Exploitation
An attacker needs only to provide a malicious .fig file (XFig format) to the victim who runs fig2dev for conversion to GE format. No special privileges or user interaction beyond opening the file is required; the overflow occurs during normal processing of input data. The proof-of-concept involves a file with a color identifier (e.g., color 41) that cannot be located, leading to the out-of-bounds read [1].
Impact
Successful exploitation causes a denial of service (DoS) due to the global buffer overflow, which typically results in a crash of the fig2dev process. The vulnerability is a read overflow, so it may also leak memory contents; however, the primary and confirmed impact is availability loss. No privilege escalation or remote code execution is reported in the source [1].
Mitigation
The issue was reported to the maintainers and appears to be closed as of December 2020 on the project's ticket tracker [1]. Users should update to a version containing the fix (likely after 3.2.7b). If a patched version is unavailable, avoid processing untrusted .fig files with fig2dev until an update is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25- fig2dev/fig2devdescription
- osv-coords22 versionspkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/transfig&distro=openSUSE%20Tumbleweedpkg:rpm/suse/transfig&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP3
< 3.2.8b-lp152.6.9.1+ 21 more
- (no CPE)range: < 3.2.8b-lp152.6.9.1
- (no CPE)range: < 3.2.8b-bp153.3.6.3
- (no CPE)range: < 3.2.8a-5.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8b-4.15.1
- (no CPE)range: < 3.2.8b-4.15.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8b-bp152.3.6.2
- (no CPE)range: < 3.2.8b-bp153.3.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on user-supplied color index in set_color() at genge.c:437 allows reading past the end of the GE_COLORS array."
Attack vector
An attacker crafts a malicious Xfig file that references a color index (e.g., color 41) beyond the valid range. When fig2dev converts this file to ge format, the set_color() function at genge.c:437 reads from the global GE_COLORS array using the unchecked index, causing a global-buffer-overflow [ref_id=1]. The overflow is a read of size 4 at an address 4 bytes to the left of GE_COLORS, which can crash the process and result in a denial of service [ref_id=1]. No authentication or special privileges are required; the victim only needs to open the crafted file with fig2dev.
Affected code
The vulnerable function is set_color() in genge.c at line 437 [ref_id=1]. The call chain is: main() → gendev_objects() → genge_arc() → set_color() [ref_id=1]. The global array GE_COLORS (defined at genge.c:55) of size 128 is read without a bounds check on the color index.
What the fix does
The advisory does not include a patch diff, but the ticket [ref_id=1] notes the issue was reproducible in git commit 3065ab and the ticket was closed, implying a fix was applied. The remediation would require adding a bounds check in set_color() at genge.c:437 to validate that the user-supplied color index falls within the range of the GE_COLORS array before dereferencing it. Without such a check, any color index outside the valid range triggers the buffer over-read.
Preconditions
- inputAttacker supplies a crafted Xfig file containing a color index (e.g., color 41) that exceeds the valid range of the GE_COLORS array.
- networkThe victim must open the malicious file with fig2dev (version 3.2.7b or affected commit). No network access is required beyond file delivery.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- sourceforge.net/p/mcj/tickets/73/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.