CVE-2010-1440
published 2010-05-07CVE-2010-1440: Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service…
PriorityP426medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
3.43%
87.5th percentile
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | texlive-bin | < texlive-bin 2009-6 (bookworm) | texlive-bin 2009-6 (bookworm) |
| tug | tex_live | <= 2009 | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
| tug | tex_live | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p26p-qrwm-pp59: Multiple integer overflows in dvipsk/dospecial
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2010-1440 [MEDIUM] GHSA-p26p-qrwm-pp59: Multiple integer overflows in dvipsk/dospecial
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
OSV
CVE-2010-1440: Multiple integer overflows in dvipsk/dospecial
osv·2010-05-07·CVSS 6.8
CVE-2010-1440 [MEDIUM] CVE-2010-1440: Multiple integer overflows in dvipsk/dospecial
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
Ubuntu
TeX Live vulnerabilities
vendor_ubuntu·2010-05-06·CVSS 5.0
CVE-2009-1284 [MEDIUM] TeX Live vulnerabilities
Title: TeX Live vulnerabilities
Summary: TeX Live vulnerabilities
It was discovered that TeX Live incorrectly handled certain long .bib
bibliography files. If a user or automated system were tricked into
processing a specially crafted bib file, an attacker could cause a denial
of service via application crash. This issue only affected Ubuntu 8.04 LTS,
9.04 and 9.10. (CVE-2009-1284)
Marc Schoenefeld, Karel Šrot and Ludwig Nussel discovered that TeX Live
incorrectly handled certain malformed dvi files. If a user or automated
system were tricked into processing a specially crafted dvi file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2010-0739, CVE-2010-1440)
Dan Rosenberg
Red Hat
texlive: Integer overflow by processing special commands
vendor_redhat·2010-05-03·CVSS 6.8
CVE-2010-1440 [MEDIUM] CWE-190 texlive: Integer overflow by processing special commands
texlive: Integer overflow by processing special commands
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
Debian
CVE-2010-1440: texlive-bin - Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and e...
vendor_debian·2010·CVSS 6.8
CVE-2010-1440 [MEDIUM] CVE-2010-1440: texlive-bin - Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and e...
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739.
Scope: local
bookworm: resolved (fixed in 2009-6)
bullseye: resolved (fixed in 2009-6)
forky: resolved (fixed in 2009-6)
sid: resolved (fixed in 2009-6)
trixie: resolved (fixed in 2009-6)
Suricata
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1440 [HIGH] ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; classtype:web-application-attack; sid:2004342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, m
Suricata
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1440 [HIGH] ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; classtype:web-application-attack; sid:2004339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1440 [HIGH] ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; classtype:web-application-attack; sid:2004338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techniq
Suricata
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-1440 [HIGH] ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; classtype:web-application-attack; sid:2004341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1440 [HIGH] ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; classtype:web-application-attack; sid:2004337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1440 [HIGH] ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE
ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; classtype:web-application-attack; sid:2004340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
No public exploits indexed.
Bugzilla
CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
bugzilla·2010-04-28·CVSS 6.8
CVE-2010-1440 [MEDIUM] CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands
An integer overflow was found in the way TeX text formatting
system processed special commands. If a user was tricked into
processing a specially-crafted typesetter-independent .dvi
(DeVice Independent) file, it could lead to dvips executable
crash or, potentially, to arbitrary code execution with the
privileges of the user running dvips. Different vulnerability
than CVE-2010-0739.
Discussion:
This is CVE-2010-1440.
---
Created attachment 409893
Proposed patch for RHEL5
---
(In reply to comment #3)
> Created an attachment (id=409893) [details]
> Proposed patch for RHEL5
This may work in some cases, but not in general. nextstring + numbytes may still overflow for certain nextstring / numbytes values.
---
Bugzilla
CVE-2010-0739 CVE-2010-1440 texlive: Integer overflow by processing special commands [Fedora all]
bugzilla·2010-04-22·CVSS 6.8
CVE-2010-0739 [MEDIUM] CVE-2010-0739 CVE-2010-1440 texlive: Integer overflow by processing special commands [Fedora all]
CVE-2010-0739 CVE-2010-1440 texlive: Integer overflow by processing special commands [Fedora all]
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #572941:
CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=526637,526893,57
Bugzilla
CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
bugzilla·2010-03-12·CVSS 6.8
CVE-2010-0739 [MEDIUM] CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands
Marc Schoenefeld found an integer overflow in the way
TeX text formatting system processed special commands.
If a user was tricked into processing a specially-crafted
typesetter-independent .dvi (DeVice Independent) file,
it could lead to dvips executable crash or, potentially,
to arbitrary code execution with the privileges of the user
running dvips.
Discussion:
This issue affects the versions of the tetex package,
as shipped with Red Hat Enterprise Linux 3, 4, and 5.
This issue affects the versions of the texlive package,
as shipped with Fedora release of 11 and 12.
---
Created attachment 399653
Patch to fix the integer allocation overflow
Patch like this should handle this overflow. Please review.
---
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041573.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlhttp://security.gentoo.org/glsa/glsa-201206-28.xmlhttp://www.ubuntu.com/usn/USN-937-1https://bugzilla.redhat.com/show_bug.cgi?id=586819https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10068http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041573.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlhttp://security.gentoo.org/glsa/glsa-201206-28.xmlhttp://www.ubuntu.com/usn/USN-937-1https://bugzilla.redhat.com/show_bug.cgi?id=586819https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10068
2010-05-07
Published