Karl Berry
2010-03-16 22:13:10 UTC
Hi Jan-AAke, Peter,
Please see this report. Can you provide a patch? However, they don't
want us to commit any changes to the public repo until they make it
public, in a few more days. Not sure of the exact date.
Karl
Date: Mon, 15 Mar 2010 10:11:19 -0400
From: Marc Deslauriers <***@canonical.com>
To: Karl Berry <***@freefriends.org>
Cc: ***@tug.org, vendor-***@lst.de, ***@ubuntu.com,
Dan Rosenberg <***@gmail.com>
Subject: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX
Live (texlive-bin)
dvipng (and as a result, dvigif), installed as part of the
texlive-base-bin package, is vulnerable to a memory corruption
vulnerability.
In texlive-bin-2007.dfsg.2/build/source/texk/dvipng/draw.c, the
SetChar() function indexes into an array using an index that is
controllable by the creator of a dvi file. By indexing past the end of
the array, an attacker can set a pointer to arbitrary values,
potentially leading to execution of arbitrary code. I've attached my
reproducer, which I'd like to be kept private. The attached file merely
triggers a crash by indexing into an invalid address, but it's clear
that arbitrary addresses could be accessed, so I would treat this issue
as possible code execution by tricking a user into processing a
malicious dvi file.
I'm not especially familiar with the relevant code, so I would expect
the developers to be better equipped to produce a patch. At first
glance, it seems that checking that the provided argument "c" to
SetChar() is between 0 and NFNTCHARS (the length of the "chr" array)
would resolve this issue.
A similar problem affects the SetVF() function in
texlive-bin-2007.dfsg.2/build/source/texk/dvipng/vf.c (user-controlled
index into an array, potentially leading to arbitrary code execution)
and the SetGlyph() function in set.c. The same check is applicable -
check that "c" is between 0 and NFNTCHARS. I have also triggered crashes
for these cases.
------------------------
Attached is Dan's reproducer for the new issue (vuln-537638.dvi). Again,
please do not share this reproducer.
[The CVE number for these issues is: CVE-2010-0829]
Please see this report. Can you provide a patch? However, they don't
want us to commit any changes to the public repo until they make it
public, in a few more days. Not sure of the exact date.
Karl
Date: Mon, 15 Mar 2010 10:11:19 -0400
From: Marc Deslauriers <***@canonical.com>
To: Karl Berry <***@freefriends.org>
Cc: ***@tug.org, vendor-***@lst.de, ***@ubuntu.com,
Dan Rosenberg <***@gmail.com>
Subject: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX
Live (texlive-bin)
dvipng (and as a result, dvigif), installed as part of the
texlive-base-bin package, is vulnerable to a memory corruption
vulnerability.
In texlive-bin-2007.dfsg.2/build/source/texk/dvipng/draw.c, the
SetChar() function indexes into an array using an index that is
controllable by the creator of a dvi file. By indexing past the end of
the array, an attacker can set a pointer to arbitrary values,
potentially leading to execution of arbitrary code. I've attached my
reproducer, which I'd like to be kept private. The attached file merely
triggers a crash by indexing into an invalid address, but it's clear
that arbitrary addresses could be accessed, so I would treat this issue
as possible code execution by tricking a user into processing a
malicious dvi file.
I'm not especially familiar with the relevant code, so I would expect
the developers to be better equipped to produce a patch. At first
glance, it seems that checking that the provided argument "c" to
SetChar() is between 0 and NFNTCHARS (the length of the "chr" array)
would resolve this issue.
A similar problem affects the SetVF() function in
texlive-bin-2007.dfsg.2/build/source/texk/dvipng/vf.c (user-controlled
index into an array, potentially leading to arbitrary code execution)
and the SetGlyph() function in set.c. The same check is applicable -
check that "c" is between 0 and NFNTCHARS. I have also triggered crashes
for these cases.
------------------------
Attached is Dan's reproducer for the new issue (vuln-537638.dvi). Again,
please do not share this reproducer.
[The CVE number for these issues is: CVE-2010-0829]