Bug 586819 (CVE-2010-1440)

Summary: CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mjc, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:11:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 577309, 577322, 577323, 577328, 577329, 584793, 584795    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch from Ludwig Nussel of SUSE
none
And slightly adjusted one none

Description Jan Lieskovsky 2010-04-28 12:34:37 UTC 
An integer overflow was found in the way TeX text formatting
system processed special commands. If a user was tricked into
processing a specially-crafted typesetter-independent .dvi
(DeVice Independent) file, it could lead to dvips executable
crash or, potentially, to arbitrary code execution with the
privileges of the user running dvips. Different vulnerability
than CVE-2010-0739.
Comment 2 Jan Lieskovsky 2010-04-28 13:30:09 UTC 
This is CVE-2010-1440.
Comment 3 Jindrich Novy 2010-04-28 16:16:47 UTC 
Created attachment 409893 [details]
Proposed patch for RHEL5
Comment 4 Tomas Hoger 2010-04-29 09:19:45 UTC 
(In reply to comment #3)
> Created an attachment (id=409893) [details]
> Proposed patch for RHEL5    

This may work in some cases, but not in general.  nextstring + numbytes may still overflow for certain nextstring / numbytes values.
Comment 5 Jan Lieskovsky 2010-04-29 15:39:42 UTC 
Created attachment 410146 [details]
Proposed patch from Ludwig Nussel of SUSE
Comment 6 Jan Lieskovsky 2010-04-29 15:42:20 UTC 
Created attachment 410148 [details]
And slightly adjusted one
Comment 10 errata-xmlrpc 2010-05-06 18:54:03 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0399 https://rhn.redhat.com/errata/RHSA-2010-0399.html
Comment 11 errata-xmlrpc 2010-05-06 19:09:44 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0400 https://rhn.redhat.com/errata/RHSA-2010-0400.html
Comment 12 errata-xmlrpc 2010-05-06 19:10:46 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0401 https://rhn.redhat.com/errata/RHSA-2010-0401.html
Comment 13 Tomas Hoger 2010-05-10 09:02:26 UTC 
Upstream commit:
  http://www.tug.org/svn/texlive?view=revision&revision=18095
Comment 14 Fedora Update System 2010-05-10 09:19:28 UTC 
texlive-2007-47.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/texlive-2007-47.fc11
Comment 15 Fedora Update System 2010-05-10 09:19:43 UTC 
texlive-2007-48.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/texlive-2007-48.fc12
Comment 16 Fedora Update System 2010-05-10 09:20:28 UTC 
texlive-2007-51.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/texlive-2007-51.fc13
Comment 17 Fedora Update System 2010-05-18 21:43:59 UTC 
texlive-2007-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-05-18 21:49:28 UTC 
texlive-2007-48.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2010-05-18 21:51:37 UTC 
texlive-2007-47.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.