572941 – (CVE-2010-0739) CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands

Bug 572941 (CVE-2010-0739) - CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands

Summary: CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-0739
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Embargoed577309 Embargoed577322 Embargoed577323 Embargoed577328 Embargoed577329 Engineering584793 584795
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-12 12:02 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:35 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-08 18:31:47 UTC

Attachments	(Terms of Use)
Patch to fix the integer allocation overflow (698 bytes, patch) 2010-03-12 14:22 UTC, Jindrich Novy	no flags	Details \| Diff
Updated patch from Karl Berry (496 bytes, patch) 2010-03-22 09:28 UTC, Jan Lieskovsky	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0399	normal	SHIPPED_LIVE	Moderate: tetex security update	2010-05-06 18:53:52 UTC
Red Hat Product Errata	RHSA-2010:0400	normal	SHIPPED_LIVE	Moderate: tetex security update	2010-05-06 19:09:35 UTC
Red Hat Product Errata	RHSA-2010:0401	normal	SHIPPED_LIVE	Moderate: tetex security update	2010-05-06 19:10:40 UTC

Description Jan Lieskovsky 2010-03-12 12:02:59 UTC

Marc Schoenefeld found an integer overflow in the way
TeX text formatting system processed special commands.
If a user was tricked into processing a specially-crafted
typesetter-independent .dvi (DeVice Independent) file,
it could lead to dvips executable crash or, potentially,
to arbitrary code execution with the privileges of the user
running dvips.

Comment 1 Jan Lieskovsky 2010-03-12 12:04:30 UTC

This issue affects the versions of the tetex package,
as shipped with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the texlive package,
as shipped with Fedora release of 11 and 12.

Comment 6 Jindrich Novy 2010-03-12 14:22:27 UTC

Created attachment 399653 [details]
Patch to fix the integer allocation overflow

Patch like this should handle this overflow. Please review.

Comment 7 Jan Lieskovsky 2010-03-19 11:41:51 UTC

This is CVE-2010-0739.

Comment 8 Jan Lieskovsky 2010-03-22 09:28:26 UTC

Created attachment 401680 [details]
Updated patch from Karl Berry

Comment 12 Jan Lieskovsky 2010-04-13 14:53:30 UTC

Public via:
  [1] http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-stable.git;a=blob;f=source/xapps-extra/tetex/texlive-CVE-2010-0739-int-overflow.patch

Comment 18 errata-xmlrpc 2010-05-06 18:54:08 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0399 https://rhn.redhat.com/errata/RHSA-2010-0399.html

Comment 19 errata-xmlrpc 2010-05-06 19:09:48 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0400 https://rhn.redhat.com/errata/RHSA-2010-0400.html

Comment 20 errata-xmlrpc 2010-05-06 19:10:49 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0401 https://rhn.redhat.com/errata/RHSA-2010-0401.html

Comment 21 Tomas Hoger 2010-05-10 09:01:03 UTC

Original upstream commit for this issue is:
  http://www.tug.org/svn/texlive?view=revision&revision=17559

Subsequent patch r18095 is needed to address related CVE-2010-1440 too:
  https://bugzilla.redhat.com/show_bug.cgi?id=586819#c13

Comment 22 Fedora Update System 2010-05-10 09:19:21 UTC

texlive-2007-47.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/texlive-2007-47.fc11

Comment 23 Fedora Update System 2010-05-10 09:19:34 UTC

texlive-2007-48.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/texlive-2007-48.fc12

Comment 24 Fedora Update System 2010-05-10 09:20:21 UTC

texlive-2007-51.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/texlive-2007-51.fc13

Comment 25 Fedora Update System 2010-05-18 21:43:54 UTC

texlive-2007-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2010-05-18 21:49:24 UTC

texlive-2007-48.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2010-05-18 21:51:33 UTC

texlive-2007-47.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.