Vulnerabilities > CVE-2010-0829 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 | |
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2048.NASL description Dan Rosenberg discovered that in dvipng, a utility that converts DVI files to PNG graphics, several array index errors allow context-dependent attackers, via a specially crafted DVI file, to cause a denial of service (crash of the application), and possibly arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 46707 published 2010-05-25 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46707 title Debian DSA-2048-1 : dvipng - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2048. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(46707); script_version("1.8"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2010-0829"); script_bugtraq_id(39969); script_xref(name:"DSA", value:"2048"); script_name(english:"Debian DSA-2048-1 : dvipng - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Dan Rosenberg discovered that in dvipng, a utility that converts DVI files to PNG graphics, several array index errors allow context-dependent attackers, via a specially crafted DVI file, to cause a denial of service (crash of the application), and possibly arbitrary code execution." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580628" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2010/dsa-2048" ); script_set_attribute( attribute:"solution", value: "Upgrade the dvipng package. For the stable distribution (lenny), this problem has been fixed in version dvipng_1.11-1+lenny1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:dvipng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2010/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/05/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"dvipng", reference:"1.11-1+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Scientific Linux Local Security Checks NASL id SL_20100506_TETEX_ON_SL5_X.NASL description Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) Multiple array index errors were found in the way teTeX converted DVI files into the Portable Network Graphics (PNG) format. An attacker could create a malicious DVI file that would cause the dvipng executable to crash. (CVE-2010-0829) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code : Multiple integer overflow flaws were found in Xpdf last seen 2020-06-01 modified 2020-06-02 plugin id 60791 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60791 title Scientific Linux Security Update : tetex on SL5.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-094.NASL description Multiple vulnerabilities has been discovered and fixed in tetex : Buffer overflow in BibTeX 0.99 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a long .bib bibliography file (CVE-2009-1284). Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow (CVE-2009-3608). Integer overflow in dvips in TeX Live 2009 and earlier, and teTeX, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted virtual font (VF) file associated with a DVI file (CVE-2010-0827). Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file (CVE-2010-0829). Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third-party information (CVE-2010-0739). Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739 (CVE-2010-1440). Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products. The corrected packages solves these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 46330 published 2010-05-13 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46330 title Mandriva Linux Security Advisory : tetex (MDVSA-2010:094) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-936-1.NASL description Dan Rosenberg discovered that dvipng incorrectly handled certain malformed dvi files. If a user or automated system were tricked into processing a specially crafted dvi file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 46253 published 2010-05-07 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46253 title Ubuntu 9.04 / 9.10 / 10.04 LTS : dvipng vulnerability (USN-936-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-8252.NASL description Upgrades dvipng to version 1.13 which fixes CVE-2010-0829. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47480 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47480 title Fedora 12 : dvipng-1.13-1.fc12 (2010-8252) NASL family SuSE Local Security Checks NASL id SUSE_11_2_TEXLIVE-100504.NASL description Specially crafted dvi files could cause buffer overflows in dvips and dvipng (CVE-2010-0827, CVE-2010-0829, CVE-2010-0739, CVE-2010-1440). last seen 2020-06-01 modified 2020-06-02 plugin id 46344 published 2010-05-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46344 title openSUSE Security Update : texlive (openSUSE-SU-2010:0251-1) NASL family SuSE Local Security Checks NASL id SUSE_11_TEXLIVE-100504.NASL description Specially crafted dvi files could cause buffer overflows in dvips and dvipng (CVE-2010-0827 / CVE-2010-0829 / CVE-2010-0739 / CVE-2010-1440). This has been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 50963 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50963 title SuSE 11 Security Update : TeX (SAT Patch Number 2393) NASL family SuSE Local Security Checks NASL id SUSE_11_0_TEXLIVE-100503.NASL description Specially crafted dvi files could cause buffer overflows in dvips and dvipng (CVE-2010-0827, CVE-2010-0829, CVE-2010-0739, CVE-2010-1440). last seen 2020-06-01 modified 2020-06-02 plugin id 46340 published 2010-05-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46340 title openSUSE Security Update : texlive (openSUSE-SU-2010:0251-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0400.NASL description Updated tetex packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. teTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) Multiple array index errors were found in the way teTeX converted DVI files into the Portable Network Graphics (PNG) format. An attacker could create a malicious DVI file that would cause the dvipng executable to crash. (CVE-2010-0829) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code : Multiple integer overflow flaws were found in Xpdf last seen 2020-06-01 modified 2020-06-02 plugin id 46760 published 2010-06-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46760 title CentOS 5 : tetex (CESA-2010:0400) NASL family Fedora Local Security Checks NASL id FEDORA_2010-8335.NASL description Upgrades dvipng to version 1.13 which fixes CVE-2010-0829. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47486 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47486 title Fedora 13 : dvipng-1.13-1.fc13 (2010-8335) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-08.NASL description The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010) Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. Insight Perl Tk Module Source-Navigator Tk Partimage Mlmmj acl Xinit gzip ncompress liblzw splashutils GNU M4 KDE Display Manager GTK+ KGet dvipng Beanstalk Policy Mount pam_krb5 GNU gv LFTP Uzbl Slim Bitdefender Console iputils DVBStreamer Impact : A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround : There are no known workarounds at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79961 published 2014-12-15 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79961 title GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0400.NASL description From Red Hat Security Advisory 2010:0400 : Updated tetex packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. teTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) Multiple array index errors were found in the way teTeX converted DVI files into the Portable Network Graphics (PNG) format. An attacker could create a malicious DVI file that would cause the dvipng executable to crash. (CVE-2010-0829) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code : Multiple integer overflow flaws were found in Xpdf last seen 2020-06-01 modified 2020-06-02 plugin id 68039 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68039 title Oracle Linux 5 : tetex (ELSA-2010-0400) NASL family SuSE Local Security Checks NASL id SUSE_TE_AMS-7020.NASL description Specially crafted dvi files could cause buffer overflows in dvips and dvipng (CVE-2010-0827 / CVE-2010-0829 / CVE-2010-0739 / CVE-2010-1440). This has been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 51761 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51761 title SuSE 10 Security Update : TeX (ZYPP Patch Number 7020) NASL family SuSE Local Security Checks NASL id SUSE_11_1_TEXLIVE-100503.NASL description Specially crafted dvi files could cause buffer overflows in dvips and dvipng (CVE-2010-0827, CVE-2010-0829, CVE-2010-0739, CVE-2010-1440). last seen 2020-06-01 modified 2020-06-02 plugin id 46342 published 2010-05-15 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46342 title openSUSE Security Update : texlive (openSUSE-SU-2010:0251-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-8279.NASL description Upgrades dvipng to version 1.13 which fixes CVE-2010-0829. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47483 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47483 title Fedora 11 : dvipng-1.13-1.fc11 (2010-8279) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0400.NASL description Updated tetex packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. teTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) Multiple array index errors were found in the way teTeX converted DVI files into the Portable Network Graphics (PNG) format. An attacker could create a malicious DVI file that would cause the dvipng executable to crash. (CVE-2010-0829) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code : Multiple integer overflow flaws were found in Xpdf last seen 2020-06-01 modified 2020-06-02 plugin id 46309 published 2010-05-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46309 title RHEL 5 : tetex (RHSA-2010:0400)
Oval
accepted | 2013-04-29T04:21:34.641-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:9718 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file. | ||||||||||||
version | 18 |
Redhat
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 39969 CVE(CAN) ID: CVE-2010-0829 dvipng是TeX Live所使用的从DVI文件生成PNG或GIF图形的工具。 dvipng工具中存在多个数组索引错误。在texlive-bin-2007.dfsg.2/build/source/texk/dvipng /draw.c文件中,SetChar()函数使用了受dvi文件的创建者控制的索引并将其索引到了数组中。如果越过了数组的边界,攻击者就可以设置指向任意值的指针,导致执行任意代码。 texlive-bin-2007.dfsg.2/build/source/texk/dvipng/vf.c文件中的SetVF()函数和set.c 文件中的SetGlyph()函数也存在类似的问题。 Jan-Ake Larsson dvipng 1.12 Jan-Ake Larsson dvipng 1.11 厂商补丁: RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2010:0400-01)以及相应补丁: RHSA-2010:0400-01:Moderate: tetex security update 链接:https://www.redhat.com/support/errata/RHSA-2010-0400.html Ubuntu ------ Ubuntu已经为此发布了一个安全公告(USN-936-1)以及相应补丁: USN-936-1:dvipng vulnerability 链接:http://www.ubuntu.com/usn/USN-936-1 |
id | SSV:19596 |
last seen | 2017-11-19 |
modified | 2010-05-12 |
published | 2010-05-12 |
reporter | Root |
title | Tex Live dvipng工具数组索引漏洞 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041587.html
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
- http://secunia.com/advisories/39914
- http://www.debian.org/security/2010/dsa-2048
- http://www.ubuntu.com/usn/USN-936-1
- http://www.vupen.com/english/advisories/2010/1219
- https://bugzilla.redhat.com/show_bug.cgi?id=573999
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9718