dvips Memory Corruption vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
texlive-bin (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
dvips, installed as part of the texlive-base-bin package, is vulnerable to a memory corruption vulnerability.
In texlive-
On my Karmic installation, this issue is merely denial of service because dvips is compiled with buffer overflow prevention, which successfully catches the unsafe sprintf call and terminates.
I've attached my reproducer, which I'd like to be kept private. It merely triggers a crash on Ubuntu - I have not attempted to achieve code execution, but on other systems without buffer overflow prevention, I believe this is possible (with a whole lot of effort).
This issue can be fixed by replacing the calls to sprintf() with corresponding snprintf() or similar functions.
Thanks for reporting this Dan.
This is a problem for us on hardy, where we don't have Fortify Source.
I'll try and locate the upstream security contact.