CVE-2020-21683
Description
fig2dev 3.2.7b has a global buffer overflow in genpstricks.c leading to denial of service when converting a crafted xfig file to pstricks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
fig2dev 3.2.7b has a global buffer overflow in genpstricks.c leading to denial of service when converting a crafted xfig file to pstricks.
Vulnerability
A global buffer overflow exists in the shade_or_tint_name_after_declare_color function in genpstricks.c of fig2dev version 3.2.7b. The overflow occurs at line 1135 when processing a specially crafted xfig file, as reported in [1].
Exploitation
An attacker can trigger the overflow by providing a malicious xfig file to the fig2dev utility during conversion to pstricks format. No authentication or user interaction beyond opening the file is required. The provided file causes an invalid color number, leading to a read of size 4 from a global buffer [1].
Impact
Successful exploitation results in a denial of service (DoS) due to the global buffer overflow, likely crashing the application. The ASAN report confirms a global-buffer-overflow read error [1].
Mitigation
As of the available reference [1], no official patch or fix has been disclosed. Users should avoid processing untrusted xfig files with fig2dev 3.2.7b until a patched version is released.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24- fig2dev/fig2devdescription
- osv-coords22 versionspkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/transfig&distro=openSUSE%20Tumbleweedpkg:rpm/suse/transfig&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP3
< 3.2.8b-lp152.6.9.1+ 21 more
- (no CPE)range: < 3.2.8b-lp152.6.9.1
- (no CPE)range: < 3.2.8b-bp153.3.6.3
- (no CPE)range: < 3.2.8a-5.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8b-4.15.1
- (no CPE)range: < 3.2.8b-4.15.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8b-bp152.3.6.2
- (no CPE)range: < 3.2.8b-bp153.3.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on user-supplied color number allows out-of-bounds read on the global color_table array in genpstricks.c."
Attack vector
An attacker provides a crafted Xfig file containing an invalid color number (e.g., -1674115757) on line 37 [ref_id=1]. When fig2dev converts this file to pstricks format, the function shade_or_tint_name_after_declare_color at genpstricks.c:1135 uses the unchecked color number as an index into the global color_table array [ref_id=1]. This results in a global-buffer-overflow read of 4 bytes at an address 4 bytes to the left of color_table, causing a denial of service via ASAN abort [ref_id=1]. No authentication or special privileges are required beyond the ability to supply a malicious .fig file.
Affected code
The vulnerable code is in genpstricks.c, specifically the function shade_or_tint_name_after_declare_color at line 1135 [ref_id=1]. The crash occurs when this function is called via format_options (line 1859) and genpstrx_line (line 2270) during the pstricks conversion process [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports the bug as a ticket but does not provide a fix commit or remediation guidance. To close the vulnerability, the developer would need to add validation on the color number before it is used as an index into color_table, ensuring it falls within the valid range of the array.
Preconditions
- inputAttacker must supply a crafted Xfig (.fig) file with an invalid color number (e.g., -1674115757) on line 37.
- networkNo special network access required; the victim must process the malicious file with fig2dev.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- sourceforge.net/p/mcj/tickets/77/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.