Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 668346 (CVE-2018-17407)

Summary: app-text/texlive-core: Buffer overflow allows local code execution (CVE-2018-17407)
Product: Gentoo Security Reporter: Vlad K. <vk-gentoo-bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: aballier, nobrowser, tex
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c
Whiteboard: B2 [noglsa cve]
Package list:
Runtime testing required: ---

Description Vlad K. 2018-10-11 19:26:44 UTC
"A buffer overflow in the handling of Type 1 fonts (.pfb files) allows arbitrary local code execution without privilege escalation when a malicious font is loaded by one of the vulnerable tools (pdflatex, pdftex, luatex, dvips)."

* Upstream fix:
  https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c

* Scouted at:
  https://seclists.org/oss-sec/2018/q4/23

Will post more links as I find them.

--

Gentoo Security Scout
Vladimir Krstulja
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 19:20:49 UTC
Maintainer(s), please advise if this has been fixed.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-10-10 18:11:56 UTC
(In reply to Yury German from comment #1)
> Maintainer(s), please advise if this has been fixed.

Fixed by having 2019 texlive release stable.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2020-02-02 15:03:28 UTC
GLSA Vote: No