Ubuntu
texlive-bin package

dvipng Memory Corruption Vulnerability

Bug #537638 reported by Dan Rosenberg on 2010-03-11

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	dvipng (Ubuntu)	Fix Released	Undecided	Unassigned
	texlive-bin (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

dvipng (and as a result, dvigif), installed as part of the texlive-base-bin package, is vulnerable to a memory corruption vulnerability.

In texlive-bin-2007.dfsg.2/build/source/texk/dvipng/draw.c, the SetChar() function indexes into an array using an index that is controllable by the creator of a dvi file. By indexing past the end of the array, an attacker can set a pointer to arbitrary values, potentially leading to execution of arbitrary code. I've attached my reproducer, which I'd like to be kept private. The attached file merely triggers a crash by indexing into an invalid address, but it's clear that arbitrary addresses could be accessed, so I would treat this issue as possible code execution by tricking a user into processing a malicious dvi file.

I'm not especially familiar with the relevant code, so I would expect the developers to be better equipped to produce a patch. At first glance, it seems that checking that the provided argument "c" to SetChar() is between 0 and NFNTCHARS (the length of the "chr" array) would resolve this issue.

Related branches

lp:ubuntu/jaunty-security/dvipng

lp:ubuntu/karmic-updates/dvipng

lp:ubuntu/lucid-security/dvipng

CVE References

2010-0829

Revision history for this message

Dan Rosenberg (dan-j-rosenberg) wrote on 2010-03-13:

#2

A similar problem affects the SetVF() function in texlive-bin-2007.dfsg.2/build/source/texk/dvipng/vf.c (user-controlled index into an array, potentially leading to arbitrary code execution) and the SetGlyph() function in set.c. The same check is applicable - check that "c" is between 0 and NFNTCHARS. I have also triggered crashes for these cases.

Kees Cook (kees) on 2010-04-01

Changed in texlive-bin (Ubuntu):
status:	New → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2010-04-01:

#3

Karl Berry says on behalf of Jan-Ake Larsson: "... the problems in SetChar and SetGlyph were fixed in dvipng 1.10, released in 2008. The SetVF problem wasn't seen previously."

affects:

texlive-bin (Ubuntu) → dvipng (Ubuntu)

Revision history for this message

Kees Cook (kees) wrote on 2010-04-01:

#4

CVE-2010-0829

Marc Deslauriers (mdeslaur) on 2010-04-01

Changed in texlive-bin (Ubuntu):
status:	New → Invalid

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-04-29:

#5

This is public now.

visibility:

private → public

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-05-06:

#6

This bug was fixed in the package dvipng - 1.12-3ubuntu0.1

---------------
dvipng (1.12-3ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via SetVF memory corruption
    (LP: #537638)
    - dvipng.h, draw.c, vf.c, set.c: make sure glyph index doesn't
      overflow. Patch by Jan-Ake Larsson.
    - CVE-2010-0829
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2010 09:34:06 -0400

Changed in dvipng (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.