There is a heap buffer overflow in texlive-bin

Thanks for reporting this issue. Have you notified the texlive developer so that they can work on a fix? If not, please file a bug with them. Once they have developed a fix, we can include it in Ubuntu. Thanks!

I haven't notified them and I will try. Thanks for your replying😀

Marc Deslauriers <email address hidden> 于2024年1月20日周六 03:56写道：

> Thanks for reporting this issue. Have you notified the texlive developer
> so that they can work on a fix? If not, please file a bug with them.
> Once they have developed a fix, we can include it in Ubuntu. Thanks!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
> There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
> New
>
> Bug description:
> Hello,
> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
> The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
> The steps for reproducing the vul on unbuntu:
> (1) sudo apt-get iunstall texlive-binaries
> (2) ttfdump -i poc.ttf
>
>
> The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
> The issue exist in function ttfLoadHDMX :
>
> /*** function ttfLoadHDMX begin ***/
>
> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
> {
> int i;
>
> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
> hdmx->version = ttfGetUSHORT(fp);
> hdmx->numDevices = ttfGetUSHORT(fp);
> hdmx->size = ttfGetLONG(fp);
>
> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
> for (i=0;i<hdmx->numDevices;i++)
> {
> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
> }
> }
>
>
> /*** function ttfLoadHDMX end ***/
>
>
> At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
> /*** debug info ***/
> (gdb) p hdmx->numGlyphs+1
> $23 = 4155
> (gdb) p hdmx->size
> $24 = 1216
> /*** debug info end ***/
>
>
> From :
>
> Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>
>

Hi DongzhuoZhao,

Did you get any feedback from texlive developers?
Could you also add here the link to your bug report, if there's one.

Thanks

Hello!
The texlive developer have fixed the bug ! Please referer following links:
https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605&view=co

https://github.com/TeX-Live/texlive-source/pull/63

Eduardo Barretto <email address hidden> 于2024年2月1日周四 21:02写道：

> Hi DongzhuoZhao,
>
> Did you get any feedback from texlive developers?
> Could you also add here the link to your bug report, if there's one.
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
> There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
> New
>
> Bug description:
> Hello,
> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
> The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
> The steps for reproducing the vul on unbuntu:
> (1) sudo apt-get iunstall texlive-binaries
> (2) ttfdump -i poc.ttf
>
>
> The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
> The issue exist in function ttfLoadHDMX :
>
> /*** function ttfLoadHDMX begin ***/
>
> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
> {
> int i;
>
> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
> hdmx->version = ttfGetUSHORT(fp);
> hdmx->numDevices = ttfGetUSHORT(fp);
> hdmx->size = ttfGetLONG(fp);
>
> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
> for (i=0;i<hdmx->numDevices;i++)
> {
> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
> }
> }
>
>
> /*** function ttfLoadHDMX end ***/
>
>
> At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
> /*** debug info ***/
> (gdb) p hdmx->numGlyphs+1
> $23 = 4155
> (gdb) p hdmx->size
> $24 = 1216
> /*** debug info end ***/
>
>
> From :
>
> Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>
>

Thanks for sharing the links!
Was this issue assigned a CVE?

Hello!
This didn't have assigned a CVE Number. May I please you apply a CVE number
for this ?
Thank you!

Eduardo Barretto <email address hidden> 于2024年2月2日周五 16:26写道：

> Thanks for sharing the links!
> Was this issue assigned a CVE?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
> There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
> New
>
> Bug description:
> Hello,
> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
> The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
> The steps for reproducing the vul on unbuntu:
> (1) sudo apt-get iunstall texlive-binaries
> (2) ttfdump -i poc.ttf
>
>
> The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
> The issue exist in function ttfLoadHDMX :
>
> /*** function ttfLoadHDMX begin ***/
>
> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
> {
> int i;
>
> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
> hdmx->version = ttfGetUSHORT(fp);
> hdmx->numDevices = ttfGetUSHORT(fp);
> hdmx->size = ttfGetLONG(fp);
>
> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
> for (i=0;i<hdmx->numDevices;i++)
> {
> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
> }
> }
>
>
> /*** function ttfLoadHDMX end ***/
>
>
> At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
> /*** debug info ***/
> (gdb) p hdmx->numGlyphs+1
> $23 = 4155
> (gdb) p hdmx->size
> $24 = 1216
> /*** debug info end ***/
>
>
> From :
>
> Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>
>

I have marked this bug as public because the public domain already contains information about this TeX Live issue (as seen in the GitHub issue and upstream changelog).

@dongzhuo, could you please contact the upstream (either in the existing PR or via their mailing list) to confirm that they (1) recognize this issue as a vulnerability impacting the security of their software (and not just a functional bug), and (2) do not have any other CVE ID assignment process already established? The latter is important because some projects prefer contacting MITRE for the assignment.

Hello，I have reported this issue to TexLive and the maintenance team have
confirmed this issue and fixed it. they want me reuest CVE ID by myself.
And Iasrequest a CVE ID, but do not get answer for this moment. If you
could accelerate this requesting process, that would be great!

George-Andrei Iosif <email address hidden> 于2024年2月7日周三 16:29写道：

> I have marked this bug as public because the public domain already
> contains information about this TeX Live issue (as seen in the GitHub
> issue and upstream changelog).
>
> @dongzhuo, could you please contact the upstream (either in the existing
> PR or via their mailing list) to confirm that they (1) recognize this
> issue as a vulnerability impacting the security of their software (and
> not just a functional bug), and (2) do not have any other CVE ID
> assignment process already established? The latter is important because
> some projects prefer contacting MITRE for the assignment.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
> There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
> New
>
> Bug description:
> Hello,
> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
> The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
> The steps for reproducing the vul on unbuntu:
> (1) sudo apt-get iunstall texlive-binaries
> (2) ttfdump -i poc.ttf
>
>
> The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
> The issue exist in function ttfLoadHDMX :
>
> /*** function ttfLoadHDMX begin ***/
>
> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
> {
> int i;
>
> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
> hdmx->version = ttfGetUSHORT(fp);
> hdmx->numDevices = ttfGetUSHORT(fp);
> hdmx->size = ttfGetLONG(fp);
>
> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
> for (i=0;i<hdmx->numDevices;i++)
> {
> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
> }
> }
>
>
> /*** function ttfLoadHDMX end ***/
>
>
> At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
> /*** debug info ***/
> (gdb) p hdmx->numGlyphs+1
> $23 = 4155
> (gdb) p hdmx->size
> $24 = 1216
> /*** debug info end ***/
>
>
> From :
>
> Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifi...

Hello!
I got the CVE ID (CVE-2024-25262) for this issue.
Thanks

dongzhuo zhao <email address hidden> 于2024年2月19日周一 11:03写道：

> Hello，I have reported this issue to TexLive and the maintenance team have
> confirmed this issue and fixed it. they want me reuest CVE ID by myself.
> And Iasrequest a CVE ID, but do not get answer for this moment. If you
> could accelerate this requesting process, that would be great!
>
> George-Andrei Iosif <email address hidden> 于2024年2月7日周三 16:29写道：
>
>> I have marked this bug as public because the public domain already
>> contains information about this TeX Live issue (as seen in the GitHub
>> issue and upstream changelog).
>>
>> @dongzhuo, could you please contact the upstream (either in the existing
>> PR or via their mailing list) to confirm that they (1) recognize this
>> issue as a vulnerability impacting the security of their software (and
>> not just a functional bug), and (2) do not have any other CVE ID
>> assignment process already established? The latter is important because
>> some projects prefer contacting MITRE for the assignment.
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/2047912
>>
>> Title:
>> There is a heap buffer overflow in texlive-bin
>>
>> Status in texlive-bin package in Ubuntu:
>> New
>>
>> Bug description:
>> Hello,
>> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
>> install by apt-get texlive-binaries. I compile lastest texlive-source by
>> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
>> debugging.
>> The overflow content and size are controlled by input. Exploiting
>> this issue can achive any code excuted
>>
>> The steps for reproducing the vul on unbuntu:
>> (1) sudo apt-get iunstall texlive-binaries
>> (2) ttfdump -i poc.ttf
>>
>>
>> The poc.ttf can view the attachment .ttfdump aborted and prompt
>> "malloc(): corrupted top size" due memory corrupt.
>>
>> The issue exist in function ttfLoadHDMX :
>>
>> /*** function ttfLoadHDMX begin ***/
>>
>> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
>> {
>> int i;
>>
>> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>>
>> hdmx->version = ttfGetUSHORT(fp);
>> hdmx->numDevices = ttfGetUSHORT(fp);
>> hdmx->size = ttfGetLONG(fp);
>>
>> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>>
>> for (i=0;i<hdmx->numDevices;i++)
>> {
>> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
>> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
>> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
>> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
>> hdmx->numGlyphs+1,fp); (2)
>> }
>> }
>>
>>
>> /*** function ttfLoadHDMX end ***/
>>
>>
>> At above code (1) ,allocte heap buffer for Width according to the
>> parsed hdmx width. And at above code (2) , copy Width content from file and
>> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
>> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>>
>> ...

This bug was fixed in the package texlive-bin - 2023.20230311.66589-6ubuntu0.1

---------------
texlive-bin (2023.20230311.66589-6ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: heap overflow in ttfdump (LP: #2047912)
    - debian/patches/CVE-2024-25262.diff: add overflow check to
      texk/ttfdump/libttf/hdmx.c.
    - CVE-2024-25262

 -- Marc Deslauriers <email address hidden> Wed, 13 Mar 2024 10:05:52 -0400

This bug was fixed in the package texlive-bin - 2021.20210626.59705-1ubuntu0.2

---------------
texlive-bin (2021.20210626.59705-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: arbitrary network requests via socket library
    - debian/patches/CVE-2023-32668.patch: disable socket library by
      default in texk/web2c/luatexdir/lua/loslibext.c,
      texk/web2c/luatexdir/lua/luainit.c,
      texk/web2c/luatexdir/lua/luastuff.c,
      texk/web2c/luatexdir/lua/luatex-api.h,
      texk/web2c/luatexdir/luasocket/src/lua_preload.c.
    - CVE-2023-32668
  * SECURITY UPDATE: heap overflow in ttfdump (LP: #2047912)
    - debian/patches/CVE-2024-25262.diff: add overflow check to
      texk/ttfdump/libttf/hdmx.c.
    - CVE-2024-25262

 -- Marc Deslauriers <email address hidden> Wed, 13 Mar 2024 10:11:46 -0400

This bug was fixed in the package texlive-bin - 2019.20190605.51237-3ubuntu0.2

---------------
texlive-bin (2019.20190605.51237-3ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: sprintf mishandling in axohelp
    - debian/patches/CVE-2019-18604.patch: fix overflow bugs in
      utils/axodraw2/*.
    - CVE-2019-18604
  * SECURITY UPDATE: arbitrary network requests via socket library
    - debian/patches/CVE-2023-32668.patch: disable socket library by
      default in texk/web2c/luatexdir/lua/loslibext.c,
      texk/web2c/luatexdir/lua/luainit.c,
      texk/web2c/luatexdir/lua/luastuff.c,
      texk/web2c/luatexdir/lua/luatex-api.h,
      texk/web2c/luatexdir/luasocket/src/lua_preload.c.
    - CVE-2023-32668
  * SECURITY UPDATE: heap overflow in ttfdump (LP: #2047912)
    - debian/patches/CVE-2024-25262.diff: add overflow check to
      texk/ttfdump/libttf/hdmx.c.
    - CVE-2024-25262

 -- Marc Deslauriers <email address hidden> Wed, 13 Mar 2024 10:19:47 -0400