PT-2017-14628 · Xfig+2 · Xfig+2

Joonun Jang

Published

2017-11-20

Updated

2024-06-15

CVE-2017-16899

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Xfig version 3.2.6a

Description The issue is related to an array index error in the fig2dev program, which can be exploited by remote attackers using a maliciously crafted Fig format file. This can lead to a denial-of-service attack or information disclosure. The error is specifically related to a negative font value in dev/gentikz.c, and the read textobject functions in read.c and read1 3.c.

Recommendations For Xfig version 3.2.6a, consider restricting the use of the fig2dev program until a patch is available, and avoid processing untrusted Fig format files to minimize the risk of exploitation.

Fix

DoS

Improper Validation of Array Index

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-129

Related Identifiers

ALT-PU-2018-2050

CVE-2017-16899

MGASA-2017-0469

OPENSUSE-SU-2024:11472-1

SUSE-SU-2018:0231-1

SUSE-SU-2018:0232-1

SUSE-SU-2018_0231-1

SUSE-SU-2018_0232-1

Affected Products

Alt Linux

Suse

Xfig

PT-2017-14628 · Xfig+2 · Xfig+2

CVE-2017-16899

Weakness Enumeration

Related Identifiers

Affected Products

References · 26