CVE-2020-21682

Vulnerability

A global buffer overflow exists in the set_fill component of genge.c in fig2dev version 3.2.7b. The vulnerability occurs at line 446 of genge.c when processing a specially crafted XFig file. The set_fill function is called during the conversion of an XFig file to GEn (GE) format. The overflow is triggered by an invalid color number, such as -16, which causes an out-of-bounds read on a global array. No special configuration beyond using the default command-line conversion is required.

Exploitation

An attacker can exploit this vulnerability by providing a malicious XFig file (with an invalid color number in the fill specification) to the fig2dev utility. The user must run fig2dev to convert the file (e.g., fig2dev -L ge). No authentication or elevated privileges are needed; the attack is local or remote if the user processes a file from an untrusted source. The bug is triggered during the set_fill call in genge_line (line 143) and subsequently in gendev_objects and main. The AddressSanitizer report confirms a global-buffer-overflow read of size 4 at address 0x0000009b325c.

Impact

Successful exploitation leads to a denial of service (DoS) due to a segmentation fault or crash. The impact is limited to availability; no information disclosure or remote code execution is described in the available references. The crash occurs during file processing, potentially aborting the conversion and affecting dependent workflows.

Mitigation

The fig2dev ticket #72 [1] indicates the issue was reported in December 2019 and closed in December 2020. A fix is likely included in a later version of fig2dev (e.g., 3.2.8 or later). Users should upgrade to the latest version of fig2dev. As a workaround, do not process untrusted XFig files. No KEV listing is known.