dvipng Memory Corruption Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dvipng (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
texlive-bin (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
dvipng (and as a result, dvigif), installed as part of the texlive-base-bin package, is vulnerable to a memory corruption vulnerability.
In texlive-
I'm not especially familiar with the relevant code, so I would expect the developers to be better equipped to produce a patch. At first glance, it seems that checking that the provided argument "c" to SetChar() is between 0 and NFNTCHARS (the length of the "chr" array) would resolve this issue.
CVE References
Changed in texlive-bin (Ubuntu): | |
status: | New → Confirmed |
Changed in texlive-bin (Ubuntu): | |
status: | New → Invalid |
A similar problem affects the SetVF() function in texlive- bin-2007. dfsg.2/ build/source/ texk/dvipng/ vf.c (user-controlled index into an array, potentially leading to arbitrary code execution) and the SetGlyph() function in set.c. The same check is applicable - check that "c" is between 0 and NFNTCHARS. I have also triggered crashes for these cases.