Bug 511049 (CVE-2009-1382, CVE-2009-2459)

Summary: CVE-2009-1382 CVE-2009-2459 mimeTeX: various flaws
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cq92j9y+rlkr0w, rcvalle, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://scary.beasts.org/security/CESA-2009-009.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-15 14:56:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 581023, 651261, 922139    
Bug Blocks:    

Description Jan Lieskovsky 2009-07-13 13:08:11 UTC 
Multiple stack-based buffer overflow were found in mimeTeX. A remote
attacker could provide a specially-crafted LaTeX expression, which might
lead to arbitrary code execution or disclosure of sensitive information,
when processed by the expression processing engine.

References:
-----------
http://scary.beasts.org/security/CESA-2009-009.html
http://groups.google.com/group/comp.text.tex/browse_thread/thread/5d56d3d744351578#
Comment 1 Jan Lieskovsky 2009-07-15 14:50:17 UTC 
MITRE's CVE record (CVE-2009-1382):

Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX, when
downloaded before 20090713, allow remote attackers to execute
arbitrary code via a TeX file with long (1) picture, (2) circle, or
(3) input tags.

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1382
http://www.securityfocus.com/archive/1/archive/1/504919/100/0/threaded
http://groups.google.com/group/comp.text.tex/browse_thread/thread/5d56d3d744351578
http://scary.beasts.org/security/CESA-2009-009.html
http://secunia.com/advisories/35752
http://secunia.com/advisories/35816
http://www.vupen.com/english/advisories/2009/1875
Comment 2 Jan Lieskovsky 2009-07-15 14:59:29 UTC 
MITRE's CVE record (CVE-2009-2459):

Multiple unspecified vulnerabilities in mimeTeX, when downloaded
before 20090713, have unknown impact and attack vectors related to the
(1) \environ, (2) \input, and (3) \counter TeX directives.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2459
http://scary.beasts.org/security/CESA-2009-009.html
http://secunia.com/advisories/35752
http://www.vupen.com/english/advisories/2009/1875
Comment 3 Vincent Danen 2009-09-26 00:29:59 UTC 
This issue has not yet been corrected and affects Fedora 10, 11, and rawhide.

Upstream fixes are available; any mimetex release after 20090713 is supposed to have the fixes so if you grabbed the latest upstream zip these issues would be corrected.

Could you please create updated packages to correct these issues?  Thanks.
Comment 4 cq92j9y+rlkr0w 2009-10-02 03:17:16 UTC 
Hi,

I've built updated packages for f10, f11, f12 and rawhide (already queued in Bodhi). They seem to work OK for the test cases on scary.beasts.org.

http://koji.fedoraproject.org/koji/buildinfo?buildID=134803
http://koji.fedoraproject.org/koji/buildinfo?buildID=134804
http://koji.fedoraproject.org/koji/buildinfo?buildID=134805
http://koji.fedoraproject.org/koji/buildinfo?buildID=134806
Comment 5 Fedora Update System 2009-11-04 12:21:44 UTC 
mimetex-1.71-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-11-04 12:37:46 UTC 
mimetex-1.71-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2010-04-09 19:44:25 UTC 
Is there a reason why mimetex for Fedora 12 was built, but never submitted?  Current mimetex version in Fedora 12 is 1.60-7.fc12.  Could this get fixed and pushed for Fedora 12?  It looks like Fedora 13 is properly at 1.71-1.fc13.

Thanks.
Comment 9 Fedora Update System 2010-04-12 23:58:01 UTC 
mimetex-1.71-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mimetex-1.71-1.fc12
Comment 10 Fedora Update System 2010-04-14 01:35:26 UTC 
mimetex-1.71-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Vincent Danen 2012-09-11 16:33:26 UTC 
kadu includes an embedded mimetex; kadu 0.10.1 (in F16 testing) would correct the flaw if it was pushed to F16+ (see bug #651261).
Comment 12 Vincent Danen 2013-03-15 14:55:18 UTC 
Created mimetex tracking bugs for this issue

Affects: epel-5 [bug 922139]
Comment 13 Vincent Danen 2013-03-15 14:56:15 UTC 
While this is fixed in Fedora and EPEL6, this is still unfixed in EPEL5.  Now that a tracking bug has been created for EPEL, I'm going to close this bug and will rely on the tracking bug to get it fixed there.