This bug was fixed in the package texlive-bin - 2021.20210626.59705-1ubuntu0.2
--------------- texlive-bin (2021.20210626.59705-1ubuntu0.2) jammy-security; urgency=medium * SECURITY UPDATE: arbitrary network requests via socket library - debian/patches/CVE-2023-32668.patch: disable socket library by default in texk/web2c/luatexdir/lua/loslibext.c, texk/web2c/luatexdir/lua/luainit.c, texk/web2c/luatexdir/lua/luastuff.c, texk/web2c/luatexdir/lua/luatex-api.h, texk/web2c/luatexdir/luasocket/src/lua_preload.c. - CVE-2023-32668 * SECURITY UPDATE: heap overflow in ttfdump (LP: #2047912) - debian/patches/CVE-2024-25262.diff: add overflow check to texk/ttfdump/libttf/hdmx.c. - CVE-2024-25262 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 13 Mar 2024 10:11:46 -0400 ** Changed in: texlive-bin (Ubuntu) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18604 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to texlive-bin in Ubuntu. https://bugs.launchpad.net/bugs/2047912 Title: There is a heap buffer overflow in texlive-bin Status in texlive-bin package in Ubuntu: Fix Released Bug description: Hello, I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can install by apt-get texlive-binaries. I compile lastest texlive-source by clone https://github.com/TeX-Live/texlive-source/ on unbuntu for debugging. The overflow content and size are controlled by input. Exploiting this issue can achive any code excuted The steps for reproducing the vul on unbuntu: (1) sudo apt-get iunstall texlive-binaries (2) ttfdump -i poc.ttf The poc.ttf can view the attachment .ttfdump aborted and prompt "malloc(): corrupted top size" due memory corrupt. The issue exist in function ttfLoadHDMX : /*** function ttfLoadHDMX begin ***/ static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset) { int i; xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX"); hdmx->version = ttfGetUSHORT(fp); hdmx->numDevices = ttfGetUSHORT(fp); hdmx->size = ttfGetLONG(fp); hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord); for (i=0;i<hdmx->numDevices;i++) { hdmx->Records[i].PixelSize = ttfGetBYTE(fp); hdmx->Records[i].MaxWidth = ttfGetBYTE(fp); hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1) fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp); (2) } } /*** function ttfLoadHDMX end ***/ At above code (1) ,allocte heap buffer for Width according to the parsed hdmx width. And at above code (2) , copy Width content from file and copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow. /*** debug info ***/ (gdb) p hdmx->numGlyphs+1 $23 = 4155 (gdb) p hdmx->size $24 = 1216 /*** debug info end ***/ From : Dongzhuo zhao working with ADLab of Venustech To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp