This bug was fixed in the package texlive-bin -
2023.20230311.66589-6ubuntu0.1
---------------
texlive-bin (2023.20230311.66589-6ubuntu0.1) mantic-security; urgency=medium
* SECURITY UPDATE: heap overflow in ttfdump (LP: #2047912)
- debian/patches/CVE-2024-25262.diff: add overflow check to
texk/ttfdump/libttf/hdmx.c.
- CVE-2024-25262
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 13 Mar 2024
10:05:52 -0400
** Changed in: texlive-bin (Ubuntu)
Status: New => Fix Released
** Changed in: texlive-bin (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-32668
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to texlive-bin in Ubuntu.
https://bugs.launchpad.net/bugs/2047912
Title:
There is a heap buffer overflow in texlive-bin
Status in texlive-bin package in Ubuntu:
Fix Released
Bug description:
Hello,
I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can install
by apt-get texlive-binaries. I compile lastest texlive-source by clone
https://github.com/TeX-Live/texlive-source/ on unbuntu for debugging.
The overflow content and size are controlled by input. Exploiting this
issue can achive any code excuted
The steps for reproducing the vul on unbuntu:
(1) sudo apt-get iunstall texlive-binaries
(2) ttfdump -i poc.ttf
The poc.ttf can view the attachment .ttfdump aborted and prompt "malloc():
corrupted top size" due memory corrupt.
The issue exist in function ttfLoadHDMX :
/*** function ttfLoadHDMX begin ***/
static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
{
int i;
xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
hdmx->version = ttfGetUSHORT(fp);
hdmx->numDevices = ttfGetUSHORT(fp);
hdmx->size = ttfGetLONG(fp);
hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
for (i=0;i<hdmx->numDevices;i++)
{
hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
fread ((hdmx->Records+i)->Width, sizeof(BYTE),
hdmx->numGlyphs+1,fp); (2)
}
}
/*** function ttfLoadHDMX end ***/
At above code (1) ,allocte heap buffer for Width according to the parsed
hdmx width. And at above code (2) , copy Width content from file and copy size
decided by controlled hdmx->numGlyphs. In the poc , hdmx->size eaqual to 1216
and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
/*** debug info ***/
(gdb) p hdmx->numGlyphs+1
$23 = 4155
(gdb) p hdmx->size
$24 = 1216
/*** debug info end ***/
From :
Dongzhuo zhao working with ADLab of Venustech
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
