CVE-2021-3561
Description
A global buffer overflow in fig2dev 3.2.8a's read_objects() function can crash or corrupt memory via crafted FIG files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A global buffer overflow in fig2dev 3.2.8a's read_objects() function can crash or corrupt memory via crafted FIG files.
Vulnerability
A global buffer overflow vulnerability exists in fig2dev version 3.2.8a within the read_objects() function in fig2dev/read.c [1][2]. The flaw occurs due to an insufficient bounds check when processing color definitions from a FIG file, specifically when copying a color name string via sprintf() without adequate length validation [1][2][3]. An attacker can craft a malicious FIG file with overly long color definitions to trigger a write beyond the bounds of a global buffer (gif_transparent) [2].
Exploitation
Exploitation requires the attacker to supply a specially crafted FIG file to fig2dev (e.g., via the command-line invocation ./fig2dev -L box <crafted_file>) [2]. No special privileges are needed; the victim merely opens the file. The overflow is triggered in the read_objects() function at line 505, which parses the file and writes to a fixed-size buffer [2]. A proof-of-concept file demonstrates the crash with AddressSanitizer reporting a write of size 14 into a global buffer [2].
Impact
Successful exploitation results in a denial of service (application crash) and potentially memory corruption that could be leveraged for further code execution [1]. The highest threat is to system integrity and availability, as per the CVE description [1]. The attacker gains no persistent access but can affect the operation of the fig2dev tool.
Mitigation
The fix was committed to the fig2dev repository on April 24, 2021, in commit 6827c0 with the message "Sanitize color definitions, ticket #116" [3]. Users should update to a version containing this patch (e.g., fig2dev 3.2.8b or later). No workaround is documented; avoiding processing untrusted FIG files is a general precaution. Red Hat classified this as a medium-severity issue and do not consider it a security bug in actively supported products [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25- fig2dev/fig2devdescription
- osv-coords22 versionspkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/transfig&distro=openSUSE%20Tumbleweedpkg:rpm/suse/transfig&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/transfig&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/transfig&distro=SUSE%20Package%20Hub%2015%20SP3
< 3.2.8a-lp152.6.6.2+ 21 more
- (no CPE)range: < 3.2.8a-lp152.6.6.2
- (no CPE)range: < 3.2.8a-bp153.3.3.2
- (no CPE)range: < 3.2.8a-5.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-1.160.13.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-4.12.2
- (no CPE)range: < 3.2.8a-4.12.2
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-2.17.1
- (no CPE)range: < 3.2.8a-bp152.3.3.2
- (no CPE)range: < 3.2.8a-bp153.3.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A flawed bounds check in `read_objects()` allows `sprintf` to write past the end of a global buffer when processing malformed color definitions."
Attack vector
An attacker provides a crafted FIG file with malformed color definitions (e.g., lines such as `0#U75 0 6750 #1 -1 4 -1 -1 0.000 0 0 1 0 -1 0 0,5` and `0 i`) that trigger a flawed bounds check in `read_objects()` [ref_id=1]. When `fig2dev` processes this malicious input via `./fig2dev -L box <crafted_file>`, the `sprintf` call at read.c:505 writes past the end of a global buffer, causing a global-buffer-overflow [ref_id=1]. No authentication is required; the attacker only needs to deliver the crafted FIG file to the victim for processing.
Affected code
The vulnerability resides in `fig2dev/read.c` at line 505, within the `read_objects()` function [ref_id=1]. The crash occurs during a `sprintf` call that writes to a global buffer adjacent to the `gif_transparent` variable defined in `fig2dev.c:85` [ref_id=1].
What the fix does
The advisory does not include a published patch or code diff [ref_id=1]. The remediation guidance implied by the ticket is to correct the bounds check in `read_objects()` at `fig2dev/read.c:505` so that color definition strings are validated before being written to the fixed-size global buffer adjacent to `gif_transparent` [ref_id=1]. Without a proper length check, an overly long or malformed color line can overflow the buffer.
Preconditions
- inputVictim must process a crafted FIG file using fig2dev (e.g., via `fig2dev -L box `).
- authNo authentication or special privileges required; any user who can invoke fig2dev on attacker-supplied input is vulnerable.
Reproduction
1. Obtain fig2dev version 3.2.8a source code. 2. Compile with AddressSanitizer: `./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" && make`. 3. Run `./fig2dev -L box <crafted_poc_file>` where the PoC file contains malformed color definitions (e.g., lines `0#U75 0 6750 #1 -1 4 -1 -1 0.000 0 0 1 0 -1 0 0,5` and `0 i`). 4. Observe the AddressSanitizer global-buffer-overflow report at `read_objects()` line 505 [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C44WSY5KAQXC3Y2NMSVXXZS3M5U5U2E6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKMOIQX6GULVSYXLYW5JQY6KJNTWV3E4/mitrevendor-advisoryx_refsource_FEDORA
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/10/msg00002.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/mitrex_refsource_MISC
- sourceforge.net/p/mcj/tickets/116/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.