[Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed sec

dvipng

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed sec

From:	Karl Berry
Subject:	[Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)]
Date:	Tue, 16 Mar 2010 22:13:10 GMT

Hi Jan-AAke, Peter,

Please see this report.  Can you provide a patch?  However, they don't
want us to commit any changes to the public repo until they make it
public, in a few more days.  Not sure of the exact date.

Karl


Date: Mon, 15 Mar 2010 10:11:19 -0400
From: Marc Deslauriers <address@hidden>
To: Karl Berry <address@hidden>
Cc: address@hidden, address@hidden, address@hidden,
        Dan Rosenberg <address@hidden>
Subject: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX
 Live (texlive-bin)

dvipng (and as a result, dvigif), installed as part of the
texlive-base-bin package, is vulnerable to a memory corruption
vulnerability.

In texlive-bin-2007.dfsg.2/build/source/texk/dvipng/draw.c, the
SetChar() function indexes into an array using an index that is
controllable by the creator of a dvi file. By indexing past the end of
the array, an attacker can set a pointer to arbitrary values,
potentially leading to execution of arbitrary code. I've attached my
reproducer, which I'd like to be kept private. The attached file merely
triggers a crash by indexing into an invalid address, but it's clear
that arbitrary addresses could be accessed, so I would treat this issue
as possible code execution by tricking a user into processing a
malicious dvi file.

I'm not especially familiar with the relevant code, so I would expect
the developers to be better equipped to produce a patch. At first
glance, it seems that checking that the provided argument "c" to
SetChar() is between 0 and NFNTCHARS (the length of the "chr" array)
would resolve this issue.

A similar problem affects the SetVF() function in
texlive-bin-2007.dfsg.2/build/source/texk/dvipng/vf.c (user-controlled
index into an array, potentially leading to arbitrary code execution)
and the SetGlyph() function in set.c. The same check is applicable -
check that "c" is between 0 and NFNTCHARS. I have also triggered crashes
for these cases.

------------------------


Attached is Dan's reproducer for the new issue (vuln-537638.dvi). Again,
please do not share this reproducer.

[The CVE number for these issues is: CVE-2010-0829]

vuln-537638.dvi
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

[Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)], Karl Berry <=
- Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)], Jan-Åke Larsson, 2010/03/17
  - Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)], Jan-Ake Larsson, 2010/03/17
    - Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)], Jan-Ake Larsson, 2010/03/17

Next by Date: Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)]
Next by thread: Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)]
Index(es):
- Date
- Thread