CVE-2010-2642
published 2011-01-07CVE-2010-2642: Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products…
PriorityP343high7.6CVSS 2.0
AVNACHAuNCCICAC
EPSS
14.27%
96.1th percentile
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | evince | < evince 3.0.2-1 (bookworm) | evince 3.0.2-1 (bookworm) |
| debian | evince | < evince 2.32.0-1 (bookworm) | evince 2.32.0-1 (bookworm) |
| gnome | evince | >= 0 < 3.0.2-1 | 3.0.2-1 |
| gnome | evince | >= 0 < 2.32.0-1 | 2.32.0-1 |
| gnome | evince | >= 0 < 3.0.2-1 | 3.0.2-1 |
| gnome | evince | >= 0 < 2.32.0-1 | 2.32.0-1 |
| gnome | evince | >= 0 < 3.0.2-1 | 3.0.2-1 |
| gnome | evince | >= 0 < 2.32.0-1 | 2.32.0-1 |
| gnome | evince | >= 0 < 3.0.2-1 | 3.0.2-1 |
| gnome | evince | >= 0 < 2.32.0-1 | 2.32.0-1 |
| redhat | evince | <= 2.32 | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
| redhat | evince | — | — |
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.6HIGH
vendor_debian7.6HIGH
vendor_redhat7.6HIGH
vendor_ubuntu7.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3p5c-p75q-mfgv: Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2
ghsa_unreviewed·2022-05-17
CVE-2010-2642 [HIGH] CWE-119 GHSA-3p5c-p75q-mfgv: Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
GHSA
GHSA-2jx2-275x-4xpq: Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse
ghsa_unreviewed·2022-05-17·CVSS 7.6
CVE-2011-5244 [HIGH] GHSA-2jx2-275x-4xpq: Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse
Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
GHSA
GHSA-m37c-h529-2gqw: Heap-based buffer overflow in the linetoken function in afmparse
ghsa_unreviewed·2022-05-17·CVSS 7.6
CVE-2011-0433 [HIGH] CWE-119 GHSA-m37c-h529-2gqw: Heap-based buffer overflow in the linetoken function in afmparse
Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.
OSV
CVE-2011-0433: Heap-based buffer overflow in the linetoken function in afmparse
osv·2012-11-19·CVSS 7.6
CVE-2011-0433 [HIGH] CVE-2011-0433: Heap-based buffer overflow in the linetoken function in afmparse
Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.
OSV
CVE-2011-5244: Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse
osv·2012-11-19·CVSS 7.6
CVE-2011-5244 [HIGH] CVE-2011-5244: Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse
Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
OSV
CVE-2010-2642: Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2
osv·2011-01-07·CVSS 7.6
CVE-2010-2642 [HIGH] CVE-2010-2642: Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
Ubuntu
t1lib vulnerabilities
vendor_ubuntu·2012-01-19·CVSS 7.6
CVE-2010-2642 [HIGH] t1lib vulnerabilities
Title: t1lib vulnerabilities
Summary: t1lib could be made to crash or run programs as your login if it opened a
specially crafted font file.
Jon Larimer discovered that t1lib did not properly parse AFM fonts. If a
user were tricked into using a specially crafted font file, a remote
attacker could cause t1lib to crash or possibly execute arbitrary code with
user privileges. (CVE-2010-2642, CVE-2011-0433)
Jonathan Brossard discovered that t1lib did not correctly handle certain
malformed font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause t1lib to crash. (CVE-2011-1552,
CVE-2011-1553, CVE-2011-1554)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
t1lib: off-by-one errors in token and linetoken
vendor_redhat·2011-03-04·CVSS 7.6
CVE-2011-5244 [HIGH] CWE-193 t1lib: off-by-one errors in token and linetoken
t1lib: off-by-one errors in token and linetoken
Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
Statement: Not Vulnerable. This issue did not affect the version of tetex as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of t1lib and evince as shipped with Red Hat Enterprise Linux 6. Because the advisory released to fix CVE-2010-2642 completely resolved the problem without introducing this flaw.
Pac
Red Hat
t1lib: Heap-based buffer overflow DVI file AFM font parser
vendor_redhat·2011-01-30·CVSS 7.6
CVE-2011-0433 [HIGH] CWE-122 t1lib: Heap-based buffer overflow DVI file AFM font parser
t1lib: Heap-based buffer overflow DVI file AFM font parser
Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.
Statement: Not vulnerable. This issue did not affect the versions of evince as shipped with Red Hat Enterprise Linux 5 and 6.
Package: tetex (Red Hat Enterprise Linux 4) - Affected
Package: evince (Red Hat Enterprise Linux 5) - Not affected
Package: evince (Red Hat Enterprise Linux 6) - Not affected
Ubuntu
Evince vulnerabilities
vendor_ubuntu·2011-01-05
CVE-2010-2643 Evince vulnerabilities
Title: Evince vulnerabilities
Jon Larimer discovered that Evince's font parsers incorrectly handled
certain buffer lengths when rendering a DVI file. By tricking a user into
opening or previewing a DVI file that uses a specially crafted font file,
an attacker could crash evince or execute arbitrary code with the user's
privileges.
In the default installation of Ubuntu 9.10 and later, attackers would be
isolated by the Evince AppArmor profile.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
t1lib: Heap based buffer overflow in DVI file AFM font parser
vendor_redhat·2011-01-05·CVSS 7.6
CVE-2010-2642 [HIGH] CWE-122 t1lib: Heap based buffer overflow in DVI file AFM font parser
t1lib: Heap based buffer overflow in DVI file AFM font parser
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
Statement: This issue did not affect the versions of evince as shipped with Red Hat Enterprise Linux 5.
Package: tetex (Red Hat Enterprise Linux 4) - Affected
Package: evince (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2011-5244: evince - Multiple off-by-one errors in the (1) token and (2) linetoken functions in backe...
vendor_debian·2011·CVSS 7.6
CVE-2011-5244 [HIGH] CVE-2011-5244: evince - Multiple off-by-one errors in the (1) token and (2) linetoken functions in backe...
Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
Scope: local
bookworm: resolved (fixed in 2.32.0-1)
bullseye: resolved (fixed in 2.32.0-1)
forky: resolved (fixed in 2.32.0-1)
sid: resolved (fixed in 2.32.0-1)
trixie: resolved (fixed in 2.32.0-1)
Debian
CVE-2011-0433: evince - Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as ...
vendor_debian·2011·CVSS 7.6
CVE-2011-0433 [HIGH] CVE-2011-0433: evince - Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as ...
Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.
Scope: local
bookworm: resolved (fixed in 2.32.0-1)
bullseye: resolved (fixed in 2.32.0-1)
forky: resolved (fixed in 2.32.0-1)
sid: resolved (fixed in 2.32.0-1)
trixie: resolved (fixed in 2.32.0-1)
Debian
CVE-2010-2642: evince - Heap-based buffer overflow in the AFM font parser in the dvi-backend component i...
vendor_debian·2010·CVSS 7.6
CVE-2010-2642 [HIGH] CVE-2010-2642: evince - Heap-based buffer overflow in the AFM font parser in the dvi-backend component i...
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
Scope: local
bookworm: resolved (fixed in 3.0.2-1)
bullseye: resolved (fixed in 3.0.2-1)
forky: resolved (fixed in 3.0.2-1)
sid: resolved (fixed in 3.0.2-1)
trixie: resolved (fixed in 3.0.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-5244 t1lib: off-by-one errors in token and linetoken
bugzilla·2012-11-20·CVSS 7.6
CVE-2011-5244 [HIGH] CVE-2011-5244 t1lib: off-by-one errors in token and linetoken
CVE-2011-5244 t1lib: off-by-one errors in token and linetoken
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5244 to the following vulnerability:
Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics ((AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5244
[2] http://www.openwall.com/lists/oss-security/2011/03/04/21
[3] http://git.gnome.org/browse/evince/commit/?id=439c5070022e
[4] http://git.gn
Bugzilla
CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552 CVE-2011-1553 CVE-2011-1554 t1lib various flaws [fedora-all]
bugzilla·2012-01-10·CVSS 7.6
CVE-2010-2642 [HIGH] CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552 CVE-2011-1553 CVE-2011-1554 t1lib various flaws [fedora-all]
CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552 CVE-2011-1553 CVE-2011-1554 t1lib various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedo
Bugzilla
CVE-2011-0433 t1lib: Heap-based buffer overflow DVI file AFM font parser
bugzilla·2011-02-23·CVSS 7.6
CVE-2011-0433 [HIGH] CVE-2011-0433 t1lib: Heap-based buffer overflow DVI file AFM font parser
CVE-2011-0433 t1lib: Heap-based buffer overflow DVI file AFM font parser
A heap-based buffer overflow flaw was found in the way AFM font file
parser, used for rendering of DVI files, in GNOME evince document viewer
and other products, processed line tokens from the given input stream.
A remote attacker could provide a DVI file, with embedded specially-crafted
font file, and trick the local user to open it with an application using
the AFM font parser, leading to that particular application crash or,
potentially, arbitrary code execution with the privileges of the user
running the application. Different vulnerability than CVE-2010-2642.
Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=640923
Upstream patch:
[2] https://bugzilla.gnome.org/show_bug.cgi?id=640923#c1
Dis
Bugzilla
CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font parser [epel-5]
bugzilla·2011-02-21·CVSS 7.6
CVE-2010-2642 [HIGH] CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font parser [epel-5]
CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font parser [epel-5]
epel-5 tracking bug for t1lib: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
t1lib-5.1.1-9.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0069/t1lib-5.1.1-9.el5
---
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser [fedora-all]
bugzilla·2011-02-21·CVSS 7.6
CVE-2010-2642 [HIGH] CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser [fedora-all]
CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=666318
Please note: this issue af
Bugzilla
CVE-2010-2641 CVE-2010-2642 CVE-2010-2640 CVE-2010-2643 evince various flaws [fedora-all]
bugzilla·2011-01-06·CVSS 7.6
CVE-2010-2641 [HIGH] CVE-2010-2641 CVE-2010-2642 CVE-2010-2640 CVE-2010-2643 evince various flaws [fedora-all]
CVE-2010-2641 CVE-2010-2642 CVE-2010-2640 CVE-2010-2643 evince various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=666314
Please note: this issue a
Bugzilla
CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser
bugzilla·2010-12-30·CVSS 7.6
CVE-2010-2642 [HIGH] CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser
CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser
A heap based buffer overflow was found in the parser for AFM font files,
which are used for rendering DVI files in GNOME evince document viewer.
Due to insufficient bounds checks when writing data to a memory buffer
allocated on a heap, it may be possible to cause an arbitrary memory
overwrite, leading to code execution.
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2642 to
this issue.
The vulnerability is present in the code that handles loading of fonts used by
DVI files.To exploit you need two files, a DVI file and the malicious font.
The vulnerability is triggered not only by opening the document in evince, but
also by browsing to a folder which contains the malicious files, where evin
http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052910.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/052995.htmlhttp://lists.mandriva.com/security-announce/2011-01/msg00006.phphttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1201.htmlhttp://secunia.com/advisories/42769http://secunia.com/advisories/42821http://secunia.com/advisories/42847http://secunia.com/advisories/42872http://www.debian.org/security/2011/dsa-2357http://www.mandriva.com/security/advisories?name=MDVSA-2011:016http://www.mandriva.com/security/advisories?name=MDVSA-2011:017http://www.mandriva.com/security/advisories?name=MDVSA-2012:144http://www.redhat.com/support/errata/RHSA-2011-0009.htmlhttp://www.securityfocus.com/bid/45678http://www.securitytracker.com/id?1024937http://www.ubuntu.com/usn/USN-1035-1http://www.vupen.com/english/advisories/2011/0029http://www.vupen.com/english/advisories/2011/0043http://www.vupen.com/english/advisories/2011/0056http://www.vupen.com/english/advisories/2011/0097http://www.vupen.com/english/advisories/2011/0102http://www.vupen.com/english/advisories/2011/0193http://www.vupen.com/english/advisories/2011/0194https://bugzilla.redhat.com/show_bug.cgi?id=666318https://security.gentoo.org/glsa/201701-57http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052910.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/052995.htmlhttp://lists.mandriva.com/security-announce/2011-01/msg00006.phphttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1201.htmlhttp://secunia.com/advisories/42769http://secunia.com/advisories/42821http://secunia.com/advisories/42847http://secunia.com/advisories/42872http://www.debian.org/security/2011/dsa-2357http://www.mandriva.com/security/advisories?name=MDVSA-2011:016http://www.mandriva.com/security/advisories?name=MDVSA-2011:017http://www.mandriva.com/security/advisories?name=MDVSA-2012:144http://www.redhat.com/support/errata/RHSA-2011-0009.htmlhttp://www.securityfocus.com/bid/45678http://www.securitytracker.com/id?1024937http://www.ubuntu.com/usn/USN-1035-1http://www.vupen.com/english/advisories/2011/0029http://www.vupen.com/english/advisories/2011/0043http://www.vupen.com/english/advisories/2011/0056http://www.vupen.com/english/advisories/2011/0097http://www.vupen.com/english/advisories/2011/0102http://www.vupen.com/english/advisories/2011/0193http://www.vupen.com/english/advisories/2011/0194https://bugzilla.redhat.com/show_bug.cgi?id=666318https://security.gentoo.org/glsa/201701-57
2011-01-07
Published