668346 – (CVE-2018-17407) app-text/texlive-core: Buffer overflow allows local code execution (CVE-2018-17407)

Bug 668346 (CVE-2018-17407) - app-text/texlive-core: Buffer overflow allows local code execution (CVE-2018-17407)

Summary: app-text/texlive-core: Buffer overflow allows local code execution (CVE-2018-...

Status:	RESOLVED FIXED

Alias:	CVE-2018-17407

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/TeX-Live/texlive-s...
Whiteboard:	B2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-10-11 19:26 UTC by Vlad K.
Modified:	2020-02-02 15:03 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vlad K. 2018-10-11 19:26:44 UTC

"A buffer overflow in the handling of Type 1 fonts (.pfb files) allows arbitrary local code execution without privilege escalation when a malicious font is loaded by one of the vulnerable tools (pdflatex, pdftex, luatex, dvips)."

* Upstream fix:
  https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c

* Scouted at:
  https://seclists.org/oss-sec/2018/q4/23

Will post more links as I find them.

--

Gentoo Security Scout
Vladimir Krstulja

Comment 1 Yury German Gentoo Infrastructure

2019-04-27 19:20:49 UTC

Maintainer(s), please advise if this has been fixed.

Comment 2 Mikle Kolyada (RETIRED) archtester

2019-10-10 18:11:56 UTC

(In reply to Yury German from comment #1)
> Maintainer(s), please advise if this has been fixed.

Fixed by having 2019 texlive release stable.

Comment 3 Yury German Gentoo Infrastructure

2020-02-02 15:03:28 UTC

GLSA Vote: No