Bug 572941 – CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 572941 - (CVE-2010-0739) CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands

Summary:	CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands

Status:	CLOSED ERRATA

Aliases:	CVE-2010-0739

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,source=redhat,reporte...
Keywords:	Security

Depends On:	577309 577322 577323 577328 577329 584793 584795
Blocks:
	Show dependency tree / graph

Reported:	2010-03-12 07:02 EST by Jan Lieskovsky
Modified:	2016-03-04 07:53 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-05-08 14:31:47 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch to fix the integer allocation overflow (698 bytes, patch) 2010-03-12 09:22 EST, Jindrich Novy	no flags	Details \| Diff
Updated patch from Karl Berry (496 bytes, patch) 2010-03-22 05:28 EDT, Jan Lieskovsky	no flags	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0399	normal	SHIPPED_LIVE	Moderate: tetex security update	2010-05-06 14:53:52 EDT
Red Hat Product Errata	RHSA-2010:0400	normal	SHIPPED_LIVE	Moderate: tetex security update	2010-05-06 15:09:35 EDT
Red Hat Product Errata	RHSA-2010:0401	normal	SHIPPED_LIVE	Moderate: tetex security update	2010-05-06 15:10:40 EDT

Groups: None (edit)

Description Jan Lieskovsky 2010-03-12 07:02:59 EST

Marc Schoenefeld found an integer overflow in the way
TeX text formatting system processed special commands.
If a user was tricked into processing a specially-crafted
typesetter-independent .dvi (DeVice Independent) file,
it could lead to dvips executable crash or, potentially,
to arbitrary code execution with the privileges of the user
running dvips.

Comment 1 Jan Lieskovsky 2010-03-12 07:04:30 EST

This issue affects the versions of the tetex package,
as shipped with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the texlive package,
as shipped with Fedora release of 11 and 12.

Comment 6 Jindrich Novy 2010-03-12 09:22:27 EST

Created attachment 399653 [details]
Patch to fix the integer allocation overflow

Patch like this should handle this overflow. Please review.

Comment 7 Jan Lieskovsky 2010-03-19 07:41:51 EDT

This is CVE-2010-0739.

Comment 8 Jan Lieskovsky 2010-03-22 05:28:26 EDT

Created attachment 401680 [details]
Updated patch from Karl Berry

Comment 12 Jan Lieskovsky 2010-04-13 10:53:30 EDT

Public via:
  [1] http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-stable.git;a=blob;f=source/xapps-extra/tetex/texlive-CVE-2010-0739-int-overflow.patch

Comment 18 errata-xmlrpc 2010-05-06 14:54:08 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0399 https://rhn.redhat.com/errata/RHSA-2010-0399.html

Comment 19 errata-xmlrpc 2010-05-06 15:09:48 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0400 https://rhn.redhat.com/errata/RHSA-2010-0400.html

Comment 20 errata-xmlrpc 2010-05-06 15:10:49 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0401 https://rhn.redhat.com/errata/RHSA-2010-0401.html

Comment 21 Tomas Hoger 2010-05-10 05:01:03 EDT

Original upstream commit for this issue is:
  http://www.tug.org/svn/texlive?view=revision&revision=17559

Subsequent patch r18095 is needed to address related CVE-2010-1440 too:
  https://bugzilla.redhat.com/show_bug.cgi?id=586819#c13

Comment 22 Fedora Update System 2010-05-10 05:19:21 EDT

texlive-2007-47.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/texlive-2007-47.fc11

Comment 23 Fedora Update System 2010-05-10 05:19:34 EDT

texlive-2007-48.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/texlive-2007-48.fc12

Comment 24 Fedora Update System 2010-05-10 05:20:21 EDT

texlive-2007-51.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/texlive-2007-51.fc13

Comment 25 Fedora Update System 2010-05-18 17:43:54 EDT

texlive-2007-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2010-05-18 17:49:24 EDT

texlive-2007-48.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2010-05-18 17:51:33 EDT

texlive-2007-47.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.