Appears this is vulnerable to several of the same vulnerabilities as xfig was in bug 718806 (details on these vulnerabilities there). I couldn't reproduce CVE-2018-11439, so not sure if this is vulnerable to it too.
Package list is empty or all packages have requested keywords.
fig2dev 3.2.7b contains a stack buffer overflow in the bezier_spline function in genepic.c.
fig2dev 3.2.7b contains a segmentation fault in the read_objects function in read.c.
fig2dev 3.2.7b contains a global buffer overflow in the conv_pattern_index function in gencgm.c.
fig2dev 3.2.7b contains a global buffer overflow in the setfigfont function in genepic.c.
fig2dev 3.2.7b contains a stack buffer overflow in the read_textobject function in read.c.
fig2dev 3.2.7b contains a global buffer overflow in the get_line function in read.c.
fig2dev 3.2.7b contains a segmentation fault in the gencgm_start function in gencgm.c.
All fixed in 3.8.8.
(In reply to John Helmert III from comment #6)
> All fixed in 3.8.8.
Whoops, meant 3.2.8. We have another with the same fixed version:
An issue was discovered in fig2dev through 20200520. A NULL pointer dereference exists in the function compute_closed_spline() located in trans_spline.c. It allows an attacker to cause Denial of Service.
A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).
A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.
These issues have been fixed in media-gfx/fig2dev. Upstream renamed this package and it is no longer distributed as transfig.
Once media-gfx/fig2dev-3.2.9 and media-gfx/xfig-3.2.9 have been marked stable this package can be masked for removal.
(In reply to Hans de Graaff from comment #9)
> Once media-gfx/fig2dev-3.2.9 and media-gfx/xfig-3.2.9 have been marked
> stable this package can be masked for removal.
Note that there are still a number of packages depending on media-gfx/transfig that need to be updated.