Hello,I have reported this issue to TexLive and the maintenance team have confirmed this issue and fixed it. they want me reuest CVE ID by myself. And Iasrequest a CVE ID, but do not get answer for this moment. If you could accelerate this requesting process, that would be great!
George-Andrei Iosif <2047...@bugs.launchpad.net> 于2024年2月7日周三 16:29写道: > I have marked this bug as public because the public domain already > contains information about this TeX Live issue (as seen in the GitHub > issue and upstream changelog). > > @dongzhuo, could you please contact the upstream (either in the existing > PR or via their mailing list) to confirm that they (1) recognize this > issue as a vulnerability impacting the security of their software (and > not just a functional bug), and (2) do not have any other CVE ID > assignment process already established? The latter is important because > some projects prefer contacting MITRE for the assignment. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/2047912 > > Title: > There is a heap buffer overflow in texlive-bin > > Status in texlive-bin package in Ubuntu: > New > > Bug description: > Hello, > I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can > install by apt-get texlive-binaries. I compile lastest texlive-source by > clone https://github.com/TeX-Live/texlive-source/ on unbuntu for > debugging. > The overflow content and size are controlled by input. Exploiting > this issue can achive any code excuted > > The steps for reproducing the vul on unbuntu: > (1) sudo apt-get iunstall texlive-binaries > (2) ttfdump -i poc.ttf > > > The poc.ttf can view the attachment .ttfdump aborted and prompt > "malloc(): corrupted top size" due memory corrupt. > > The issue exist in function ttfLoadHDMX : > > /*** function ttfLoadHDMX begin ***/ > > static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset) > { > int i; > > xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX"); > > hdmx->version = ttfGetUSHORT(fp); > hdmx->numDevices = ttfGetUSHORT(fp); > hdmx->size = ttfGetLONG(fp); > > hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord); > > for (i=0;i<hdmx->numDevices;i++) > { > hdmx->Records[i].PixelSize = ttfGetBYTE(fp); > hdmx->Records[i].MaxWidth = ttfGetBYTE(fp); > hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1) > fread ((hdmx->Records+i)->Width, sizeof(BYTE), > hdmx->numGlyphs+1,fp); (2) > } > } > > > /*** function ttfLoadHDMX end ***/ > > > At above code (1) ,allocte heap buffer for Width according to the > parsed hdmx width. And at above code (2) , copy Width content from file and > copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size > eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow. > > /*** debug info ***/ > (gdb) p hdmx->numGlyphs+1 > $23 = 4155 > (gdb) p hdmx->size > $24 = 1216 > /*** debug info end ***/ > > > From : > > Dongzhuo zhao working with ADLab of Venustech > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions > > -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to texlive-bin in Ubuntu. https://bugs.launchpad.net/bugs/2047912 Title: There is a heap buffer overflow in texlive-bin Status in texlive-bin package in Ubuntu: New Bug description: Hello, I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can install by apt-get texlive-binaries. I compile lastest texlive-source by clone https://github.com/TeX-Live/texlive-source/ on unbuntu for debugging. The overflow content and size are controlled by input. Exploiting this issue can achive any code excuted The steps for reproducing the vul on unbuntu: (1) sudo apt-get iunstall texlive-binaries (2) ttfdump -i poc.ttf The poc.ttf can view the attachment .ttfdump aborted and prompt "malloc(): corrupted top size" due memory corrupt. The issue exist in function ttfLoadHDMX : /*** function ttfLoadHDMX begin ***/ static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset) { int i; xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX"); hdmx->version = ttfGetUSHORT(fp); hdmx->numDevices = ttfGetUSHORT(fp); hdmx->size = ttfGetLONG(fp); hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord); for (i=0;i<hdmx->numDevices;i++) { hdmx->Records[i].PixelSize = ttfGetBYTE(fp); hdmx->Records[i].MaxWidth = ttfGetBYTE(fp); hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1) fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp); (2) } } /*** function ttfLoadHDMX end ***/ At above code (1) ,allocte heap buffer for Width according to the parsed hdmx width. And at above code (2) , copy Width content from file and copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow. /*** debug info ***/ (gdb) p hdmx->numGlyphs+1 $23 = 4155 (gdb) p hdmx->size $24 = 1216 /*** debug info end ***/ From : Dongzhuo zhao working with ADLab of Venustech To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
