Your message dated Fri, 29 May 2026 23:09:34 +0000
with message-id <[email protected]>
and subject line Bug#1103801: fixed in mimetex 1.76-6
has caused the Debian Bug report #1103801,
regarding CVE-2024-40446: code injection vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1103801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103801
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mimetex
Version: 1.76-1
Severity: important
Dear Maintainer,
A code injection vulnerability has been identified in MimeTeX, affecting
version 1.76-1 and above. This issue has been assigned CVE-2024-40446.
When operating in command-line or CGI mode, specially crafted input can trigger
unintended command execution due to unsafe parsing. The issue arises from the
incorrect handling of user-supplied input during expression parsing.
* What led up to the situation?
While evaluating the security posture of web applications relying on dynamic
LaTeX rendering, this vulnerability was discovered in the underlying MimeTeX
binary.
* What exactly did you do (or not do) that was effective (or ineffective)?
Testing was performed with benign but malformed LaTeX input, which led to
unexpected execution behavior. Further analysis confirmed the input was being
evaluated in a way that allowed for arbitrary code execution.
* What was the outcome of this action?
A proof of concept confirmed the ability to execute commands supplied via
crafted LaTeX input in environments where MimeTeX is exposed to untrusted input
(such as via CGI).
* What outcome did you expect instead?
Input should be treated as data and not lead to code execution under any
circumstances.
As MimeTeX appears to be unmaintained upstream, and the impact of this
vulnerability includes remote code execution, it is recommended to consider
removing the package from Debian, or at minimum, disabling CGI support or
sandboxing the binary in its current form.
CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40446
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'),
(100, 'jammy-backports')
Architecture: arm64 (aarch64)
Kernel: Linux 6.11.3-200.fc40.aarch64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages mimetex depends on:
ii libc6 2.35-0ubuntu3.9
mimetex recommends no packages.
mimetex suggests no packages.
--- End Message ---
--- Begin Message ---
Source: mimetex
Source-Version: 1.76-6
Done: Hilmar Preuße <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mimetex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preuße <[email protected]> (supplier of updated mimetex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 May 2026 00:23:44 +0200
Source: mimetex
Architecture: source
Version: 1.76-6
Distribution: unstable
Urgency: medium
Maintainer: Hilmar Preuße <[email protected]>
Changed-By: Hilmar Preuße <[email protected]>
Closes: 1103801
Changes:
mimetex (1.76-6) unstable; urgency=medium
.
* Add patch for CVE-2024-40446 (Closes: #1103801).
Checksums-Sha1:
410d4cce96c609d2dba76dec534bf81492e5d116 1335 mimetex_1.76-6.dsc
4b744a351d18e19be03c33ed09ee8036693afcce 6832 mimetex_1.76-6.debian.tar.xz
3677ca784cbccb260014f4dc7b65dfe276e3ac76 4912 mimetex_1.76-6_source.buildinfo
Checksums-Sha256:
55a21b97e48f7bf9560ff0d559423d87157cffa64eabd8d01eaef72d0995c077 1335
mimetex_1.76-6.dsc
b6799372279a73271395ef4be9d63588e28719d16875b489c2bc86420f59fc36 6832
mimetex_1.76-6.debian.tar.xz
0c07193e1a2ddab6f177806857e2d6dd1bf62b06da4a8172902127af1e5ec212 4912
mimetex_1.76-6_source.buildinfo
Files:
fa386041fbbd1e66a8e941f55eb09476 1335 utils optional mimetex_1.76-6.dsc
60f267d06b04041c454d194becd80ff9 6832 utils optional
mimetex_1.76-6.debian.tar.xz
6cb8e5169a3b57862f6f4cb1d0e754b0 4912 utils optional
mimetex_1.76-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRKnq6Z0VRDf4bMmAn98EQ6ARgcNAUCahoSNl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NEE5
RUFFOTlEMTU0NDM3Rjg2Q0M5ODA5RkRGMDQ0M0EwMTE4MUMzNAAKCRD98EQ6ARgc
NFoEAP9fRp4jWdwEKPFzEkPsEsvZX1/QRYhr7QjYmGfmqsaq5wD/fWAq76eU6MHS
9eQ9fWOtwr/34vBTtYSID+waZY3PxAY=
=Hhlr
-----END PGP SIGNATURE-----
pgpfY03Xo_EnK.pgp
Description: PGP signature
--- End Message ---
