CVE-2010-0739
published 2010-04-16CVE-2010-0739: Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute…
PriorityP430medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
4.92%
91.0th percentile
Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | texlive-bin | < texlive-bin 2009-6 (bookworm) | texlive-bin 2009-6 (bookworm) |
| tug | tex_live | <= 2009 | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p26p-qrwm-pp59: Multiple integer overflows in dvipsk/dospecial
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2010-1440 [MEDIUM] GHSA-p26p-qrwm-pp59: Multiple integer overflows in dvipsk/dospecial
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
GHSA
GHSA-g329-cmhw-r62r: Integer overflow in the predospecial function in dospecial
ghsa_unreviewed·2022-05-02
CVE-2010-0739 [MEDIUM] GHSA-g329-cmhw-r62r: Integer overflow in the predospecial function in dospecial
Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.
OSV
CVE-2010-1440: Multiple integer overflows in dvipsk/dospecial
osv·2010-05-07·CVSS 6.8
CVE-2010-1440 [MEDIUM] CVE-2010-1440: Multiple integer overflows in dvipsk/dospecial
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
OSV
CVE-2010-0739: Integer overflow in the predospecial function in dospecial
osv·2010-04-16·CVSS 6.8
CVE-2010-0739 [MEDIUM] CVE-2010-0739: Integer overflow in the predospecial function in dospecial
Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.
Ubuntu
TeX Live vulnerabilities
vendor_ubuntu·2010-05-06·CVSS 5.0
CVE-2009-1284 [MEDIUM] TeX Live vulnerabilities
Title: TeX Live vulnerabilities
Summary: TeX Live vulnerabilities
It was discovered that TeX Live incorrectly handled certain long .bib
bibliography files. If a user or automated system were tricked into
processing a specially crafted bib file, an attacker could cause a denial
of service via application crash. This issue only affected Ubuntu 8.04 LTS,
9.04 and 9.10. (CVE-2009-1284)
Marc Schoenefeld, Karel Šrot and Ludwig Nussel discovered that TeX Live
incorrectly handled certain malformed dvi files. If a user or automated
system were tricked into processing a specially crafted dvi file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2010-0739, CVE-2010-1440)
Dan Rosenberg
Red Hat
texlive: Integer overflow by processing special commands
vendor_redhat·2010-05-03·CVSS 6.8
CVE-2010-1440 [MEDIUM] CWE-190 texlive: Integer overflow by processing special commands
texlive: Integer overflow by processing special commands
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
Red Hat
texlive: Integer overflow by processing special commands
vendor_redhat·2010-04-12·CVSS 6.8
CVE-2010-0739 [MEDIUM] CWE-190 texlive: Integer overflow by processing special commands
texlive: Integer overflow by processing special commands
Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.
Debian
CVE-2010-0739: texlive-bin - Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX...
vendor_debian·2010·CVSS 6.8
CVE-2010-0739 [MEDIUM] CVE-2010-0739: texlive-bin - Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX...
Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.
Scope: local
bookworm: resolved (fixed in 2009-6)
bullseye: resolved (fixed in 2009-6)
forky: resolved (fixed in 2009-6)
sid: resolved (fixed in 2009-6)
trixie: resolved (fixed in 2009-6)
Debian
CVE-2010-1440: texlive-bin - Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and e...
vendor_debian·2010·CVSS 6.8
CVE-2010-1440 [MEDIUM] CVE-2010-1440: texlive-bin - Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and e...
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
Scope: local
bookworm: resolved (fixed in 2009-6)
bullseye: resolved (fixed in 2009-6)
forky: resolved (fixed in 2009-6)
sid: resolved (fixed in 2009-6)
trixie: resolved (fixed in 2009-6)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
bugzilla·2010-04-28·CVSS 6.8
CVE-2010-1440 [MEDIUM] CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
An integer overflow was found in the way TeX text formatting
system processed special commands. If a user was tricked into
processing a specially-crafted typesetter-independent .dvi
(DeVice Independent) file, it could lead to dvips executable
crash or, potentially, to arbitrary code execution with the
privileges of the user running dvips. Different vulnerability
than CVE-2010-0739.
Discussion:
This is CVE-2010-1440.
---
Created attachment 409893
Proposed patch for RHEL5
---
(In reply to comment #3)
> Created an attachment (id=409893) [details]
> Proposed patch for RHEL5
This may work in some cases, but not in general. nextstring + numbytes may still overflow for certain nextstring / numbytes values.
---
Bugzilla
CVE-2010-0739 CVE-2010-1440 texlive: Integer overflow by processing special commands [Fedora all]
bugzilla·2010-04-22·CVSS 6.8
CVE-2010-0739 [MEDIUM] CVE-2010-0739 CVE-2010-1440 texlive: Integer overflow by processing special commands [Fedora all]
CVE-2010-0739 CVE-2010-1440 texlive: Integer overflow by processing special commands [Fedora all]
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #572941:
CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=526637,526893,57
Bugzilla
CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
bugzilla·2010-03-12·CVSS 6.8
CVE-2010-0739 [MEDIUM] CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
Marc Schoenefeld found an integer overflow in the way
TeX text formatting system processed special commands.
If a user was tricked into processing a specially-crafted
typesetter-independent .dvi (DeVice Independent) file,
it could lead to dvips executable crash or, potentially,
to arbitrary code execution with the privileges of the user
running dvips.
Discussion:
This issue affects the versions of the tetex package,
as shipped with Red Hat Enterprise Linux 3, 4, and 5.
This issue affects the versions of the texlive package,
as shipped with Fedora release of 11 and 12.
---
Created attachment 399653
Patch to fix the integer allocation overflow
Patch like this should handle this overflow. Please review.
---
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-stable.git%3Ba=blob%3Bf=source/xapps-extra/tetex/texlive-CVE-2010-0739-int-overflow.patchhttp://lists.fedoraproject.org/pipermail/package-announce/2010-May/041573.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlhttp://secunia.com/advisories/39390http://security.gentoo.org/glsa/glsa-201206-28.xmlhttp://www.securityfocus.com/bid/39500http://www.ubuntu.com/usn/USN-937-1https://bugzilla.redhat.com/show_bug.cgi?id=572941https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11468http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-stable.git%3Ba=blob%3Bf=source/xapps-extra/tetex/texlive-CVE-2010-0739-int-overflow.patchhttp://lists.fedoraproject.org/pipermail/package-announce/2010-May/041573.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlhttp://secunia.com/advisories/39390http://security.gentoo.org/glsa/glsa-201206-28.xmlhttp://www.securityfocus.com/bid/39500http://www.ubuntu.com/usn/USN-937-1https://bugzilla.redhat.com/show_bug.cgi?id=572941https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11468
2010-04-16
Published