Vigil@nce - teTeX: several vulnerabilities of dvips and dvipng
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious DVI file and invite the victim
to open it with teTeX tools, in order to create a denial of
service and possibly to execute code.
Severity: 2/4
Creation date: 07/05/2010
DESCRIPTION OF THE VULNERABILITY
The teTeX suite contains tools to handle documents in TeX DVI
format. The dvips command converts a DVI document to PostScript.
The dvipng command converts a DVI document to PNG image. Several
vulnerabilities impact these tools.
The predospecial() function of the texk/dvipsk/dospecial.c file
does not check integer overflows, which corrupts the memory.
[severity:2/4; 572941, CVE-2010-0739]
The virtualfont.c file does not check the font name size, which
leads to a buffer overflow. [severity:2/4; 572914, BID-39971,
CVE-2010-0827]
Several integer overflows of the dvipng command corrupt the
memory. [severity:2/4; 573999, CVE-2010-0829]
The predospecial() and the bbdospecial() functions of the
texk/dvipsk/dospecial.c file do not check integer overflows, which
corrupts the memory. [severity:2/4; 586819, BID-39966,
CVE-2010-1440]
An attacker can therefore create a malicious DVI file and invite
the victim to open it with teTeX tools, in order to create a
denial of service and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/teTeX-several-vulnerabilities-of-dvips-and-dvipng-9632