Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 668346 (CVE-2018-17407) - app-text/texlive-core: Buffer overflow allows local code execution (CVE-2018-17407)
Summary: app-text/texlive-core: Buffer overflow allows local code execution (CVE-2018-...
Status: RESOLVED FIXED
Alias: CVE-2018-17407
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/TeX-Live/texlive-s...
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-11 19:26 UTC by Vlad K.
Modified: 2020-02-02 15:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-10-11 19:26:44 UTC
"A buffer overflow in the handling of Type 1 fonts (.pfb files) allows arbitrary local code execution without privilege escalation when a malicious font is loaded by one of the vulnerable tools (pdflatex, pdftex, luatex, dvips)."

* Upstream fix:
  https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c

* Scouted at:
  https://seclists.org/oss-sec/2018/q4/23

Will post more links as I find them.

--

Gentoo Security Scout
Vladimir Krstulja
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 19:20:49 UTC
Maintainer(s), please advise if this has been fixed.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-10-10 18:11:56 UTC
(In reply to Yury German from comment #1)
> Maintainer(s), please advise if this has been fixed.

Fixed by having 2019 texlive release stable.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2020-02-02 15:03:28 UTC
GLSA Vote: No