Hello! I got the CVE ID (CVE-2024-25262) for this issue. Thanks dongzhuo zhao <dongzhuozhaosec...@gmail.com> 于2024年2月19日周一 11:03写道:
> Hello,I have reported this issue to TexLive and the maintenance team have > confirmed this issue and fixed it. they want me reuest CVE ID by myself. > And Iasrequest a CVE ID, but do not get answer for this moment. If you > could accelerate this requesting process, that would be great! > > George-Andrei Iosif <2047...@bugs.launchpad.net> 于2024年2月7日周三 16:29写道: > >> I have marked this bug as public because the public domain already >> contains information about this TeX Live issue (as seen in the GitHub >> issue and upstream changelog). >> >> @dongzhuo, could you please contact the upstream (either in the existing >> PR or via their mailing list) to confirm that they (1) recognize this >> issue as a vulnerability impacting the security of their software (and >> not just a functional bug), and (2) do not have any other CVE ID >> assignment process already established? The latter is important because >> some projects prefer contacting MITRE for the assignment. >> >> -- >> You received this bug notification because you are subscribed to the bug >> report. >> https://bugs.launchpad.net/bugs/2047912 >> >> Title: >> There is a heap buffer overflow in texlive-bin >> >> Status in texlive-bin package in Ubuntu: >> New >> >> Bug description: >> Hello, >> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can >> install by apt-get texlive-binaries. I compile lastest texlive-source by >> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for >> debugging. >> The overflow content and size are controlled by input. Exploiting >> this issue can achive any code excuted >> >> The steps for reproducing the vul on unbuntu: >> (1) sudo apt-get iunstall texlive-binaries >> (2) ttfdump -i poc.ttf >> >> >> The poc.ttf can view the attachment .ttfdump aborted and prompt >> "malloc(): corrupted top size" due memory corrupt. >> >> The issue exist in function ttfLoadHDMX : >> >> /*** function ttfLoadHDMX begin ***/ >> >> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset) >> { >> int i; >> >> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX"); >> >> hdmx->version = ttfGetUSHORT(fp); >> hdmx->numDevices = ttfGetUSHORT(fp); >> hdmx->size = ttfGetLONG(fp); >> >> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord); >> >> for (i=0;i<hdmx->numDevices;i++) >> { >> hdmx->Records[i].PixelSize = ttfGetBYTE(fp); >> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp); >> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1) >> fread ((hdmx->Records+i)->Width, sizeof(BYTE), >> hdmx->numGlyphs+1,fp); (2) >> } >> } >> >> >> /*** function ttfLoadHDMX end ***/ >> >> >> At above code (1) ,allocte heap buffer for Width according to the >> parsed hdmx width. And at above code (2) , copy Width content from file and >> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size >> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow. >> >> /*** debug info ***/ >> (gdb) p hdmx->numGlyphs+1 >> $23 = 4155 >> (gdb) p hdmx->size >> $24 = 1216 >> /*** debug info end ***/ >> >> >> From : >> >> Dongzhuo zhao working with ADLab of Venustech >> >> To manage notifications about this bug go to: >> >> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions >> >> -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to texlive-bin in Ubuntu. https://bugs.launchpad.net/bugs/2047912 Title: There is a heap buffer overflow in texlive-bin Status in texlive-bin package in Ubuntu: New Bug description: Hello, I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can install by apt-get texlive-binaries. I compile lastest texlive-source by clone https://github.com/TeX-Live/texlive-source/ on unbuntu for debugging. The overflow content and size are controlled by input. Exploiting this issue can achive any code excuted The steps for reproducing the vul on unbuntu: (1) sudo apt-get iunstall texlive-binaries (2) ttfdump -i poc.ttf The poc.ttf can view the attachment .ttfdump aborted and prompt "malloc(): corrupted top size" due memory corrupt. The issue exist in function ttfLoadHDMX : /*** function ttfLoadHDMX begin ***/ static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset) { int i; xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX"); hdmx->version = ttfGetUSHORT(fp); hdmx->numDevices = ttfGetUSHORT(fp); hdmx->size = ttfGetLONG(fp); hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord); for (i=0;i<hdmx->numDevices;i++) { hdmx->Records[i].PixelSize = ttfGetBYTE(fp); hdmx->Records[i].MaxWidth = ttfGetBYTE(fp); hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1) fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp); (2) } } /*** function ttfLoadHDMX end ***/ At above code (1) ,allocte heap buffer for Width according to the parsed hdmx width. And at above code (2) , copy Width content from file and copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow. /*** debug info ***/ (gdb) p hdmx->numGlyphs+1 $23 = 4155 (gdb) p hdmx->size $24 = 1216 /*** debug info end ***/ From : Dongzhuo zhao working with ADLab of Venustech To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
