dvips Memory Corruption vulnerability

Bug #537103 reported by Dan Rosenberg on 2010-03-11
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
texlive-bin (Ubuntu)
Medium
Unassigned

Bug Description

dvips, installed as part of the texlive-base-bin package, is vulnerable to a memory corruption vulnerability.

In texlive-bin-2007.dfsg.2/build/source/texk/dvipsk/virtualfont.c, the vfopen() function copies user-supplied data to a statically allocated buffer using sprintf(), without doing any bounds checking. The buffer is declared in the .data segment, so easy code execution is not possible, but given the nature of the data that can be overwritten by overflowing this buffer and how it is used (frequent dereferencing and assigning), I would treat this issue as possible arbitrary code execution that can be achieved by tricking a user into processing a maliciously crafted .dvi file.

On my Karmic installation, this issue is merely denial of service because dvips is compiled with buffer overflow prevention, which successfully catches the unsafe sprintf call and terminates.

I've attached my reproducer, which I'd like to be kept private. It merely triggers a crash on Ubuntu - I have not attempted to achieve code execution, but on other systems without buffer overflow prevention, I believe this is possible (with a whole lot of effort).

This issue can be fixed by replacing the calls to sprintf() with corresponding snprintf() or similar functions.

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this Dan.

This is a problem for us on hardy, where we don't have Fortify Source.
I'll try and locate the upstream security contact.

Marc Deslauriers (mdeslaur) wrote :

This has been assigned CVE-2010-0827

Changed in texlive-bin (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

I have sent en email to the upstream maintainers asking for a CRD of 2010-03-25.

Dan, if you would like to be CC'd on the security email, please supply me with a valid email address.

Thanks!

Dan Rosenberg (dan-j-rosenberg) wrote :

I've attached a simple patch for the issue.

Marc Deslauriers (mdeslaur) wrote :

This is public now

visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package texlive-bin - 2009-5ubuntu0.1

---------------
texlive-bin (2009-5ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via memory corruption
    (LP: #537103)
    - debian/patches/security-CVE-2010-0827.patch: make sure name isn't
      too long in texk/dvipsk/virtualfont.c.
    - CVE-2010-0827
  * SECURITY UPDATE: arbitrary code execution via integer overflow
    - debian/patches/security-CVE-2010-0739,1440.patch: make sure numbytes
      doesn't overflow in texk/dvipsk/dospecial.c.
    - CVE-2010-0739
    - CVE-2010-1440
 -- Marc Deslauriers <email address hidden> Mon, 03 May 2010 09:05:31 -0400

Changed in texlive-bin (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers