Hello!
I got the CVE ID (CVE-2024-25262) for this issue.
Thanks

dongzhuo zhao <email address hidden> 于2024年2月19日周一 11:03写道：

> Hello，I have reported this issue to TexLive and the maintenance team have
> confirmed this issue and fixed it. they want me reuest CVE ID by myself.
> And Iasrequest a CVE ID, but do not get answer for this moment. If you
> could accelerate this requesting process, that would be great!
>
> George-Andrei Iosif <email address hidden> 于2024年2月7日周三 16:29写道：
>
>> I have marked this bug as public because the public domain already
>> contains information about this TeX Live issue (as seen in the GitHub
>> issue and upstream changelog).
>>
>> @dongzhuo, could you please contact the upstream (either in the existing
>> PR or via their mailing list) to confirm that they (1) recognize this
>> issue as a vulnerability impacting the security of their software (and
>> not just a functional bug), and (2) do not have any other CVE ID
>> assignment process already established? The latter is important because
>> some projects prefer contacting MITRE for the assignment.
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/2047912
>>
>> Title:
>>   There is a heap buffer overflow in texlive-bin
>>
>> Status in texlive-bin package in Ubuntu:
>>   New
>>
>> Bug description:
>>   Hello,
>>     I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
>> install by apt-get texlive-binaries. I compile lastest texlive-source by
>> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
>> debugging.
>>     The overflow content and size are controlled by input. Exploiting
>> this issue can achive any code excuted
>>
>>     The steps for reproducing the vul on unbuntu:
>>     (1) sudo apt-get iunstall texlive-binaries
>>     (2) ttfdump -i poc.ttf
>>
>>
>>   The poc.ttf can view the attachment .ttfdump aborted and prompt
>> "malloc(): corrupted top size" due memory corrupt.
>>
>>     The issue exist in function ttfLoadHDMX :
>>
>>   /***    function ttfLoadHDMX begin   ***/
>>
>>   static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
>>   {
>>       int i;
>>
>>       xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>>
>>       hdmx->version = ttfGetUSHORT(fp);
>>       hdmx->numDevices = ttfGetUSHORT(fp);
>>       hdmx->size = ttfGetLONG(fp);
>>
>>       hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>>
>>       for (i=0;i<hdmx->numDevices;i++)
>>         {
>>             hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
>>             hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
>>             hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE);  (1)
>>             fread ((hdmx->Records+i)->Width, sizeof(BYTE),
>> hdmx->numGlyphs+1,fp); (2)
>>         }
>>   }
>>
>>
>>   /***    function ttfLoadHDMX end   ***/
>>
>>
>>     At above code (1) ,allocte heap buffer for Width according to the
>> parsed hdmx width. And at above code (2) , copy Width content from file and
>> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
>> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>>
>>   /*** debug info ***/
>>   (gdb) p hdmx->numGlyphs+1
>>   $23 = 4155
>>   (gdb) p hdmx->size
>>   $24 = 1216
>>   /*** debug info end ***/
>>
>>
>>   From :
>>
>>   Dongzhuo zhao working with ADLab of Venustech
>>
>> To manage notifications about this bug go to:
>>
>> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>>
>>