Debian Bug report logs - #537254
mimetex: CVE-2009-2459 CVE-2009-1382 multiple security issues

version graph

Package: mimetex; Maintainer for mimetex is Hilmar Preu├če <hille42@web.de>; Source for mimetex is src:mimetex.

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 16 Jul 2009 13:12:04 UTC

Severity: grave

Tags: security

Found in version mimetex/1.50-1

Fixed in versions mimetex/1.50-1.1, mimetex/1.50-1+etch1, mimetex/1.50-1+lenny1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@sindominio.net>:
Bug#537254; Package mimetex. (Thu, 16 Jul 2009 13:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Isaac Clerencia <isaac@sindominio.net>. (Thu, 16 Jul 2009 13:12:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: mimetex: CVE-2009-2459 multiple stack-based buffer overflows
Date: Thu, 16 Jul 2009 15:06:54 +0200
[Message part 1 (text/plain, inline)]
Source: mimetex
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mimetex.

CVE-2009-2459[0]:
| Multiple unspecified vulnerabilities in mimeTeX, when downloaded
| before 20090713, have unknown impact and attack vectors related to the
| (1) \environ, (2) \input, and (3) \counter TeX directives.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

There is a new upstream release which fixes these issues.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2459
    http://security-tracker.debian.net/tracker/CVE-2009-2459

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@sindominio.net>:
Bug#537254; Package mimetex. (Thu, 16 Jul 2009 13:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Isaac Clerencia <isaac@sindominio.net>. (Thu, 16 Jul 2009 13:39:02 GMT) Full text and rfc822 format available.

Message #10 received at 537254@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 537254@bugs.debian.org
Subject: another CVE id
Date: Thu, 16 Jul 2009 15:30:05 +0200
[Message part 1 (text/plain, inline)]
Hi,
sorry, mixed up the CVE ids when reporting.
Here is the other one:
CVE-2009-1382[0]:
| Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX, when
| downloaded before 20090713, allow remote attackers to execute
| arbitrary code via a TeX file with long (1) picture, (2) circle, or
| (3) input tags.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1382
    http://security-tracker.debian.net/tracker/CVE-2009-1382


Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `mimetex: CVE-2009-2459 CVE-2009-1382 multiple security issues' from `mimetex: CVE-2009-2459 multiple stack-based buffer overflows'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 16 Jul 2009 13:39:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@sindominio.net>:
Bug#537254; Package mimetex. (Thu, 23 Jul 2009 18:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
Extra info received and forwarded to list. Copy sent to Isaac Clerencia <isaac@sindominio.net>. (Thu, 23 Jul 2009 18:24:04 GMT) Full text and rfc822 format available.

Message #17 received at 537254@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: 537254@bugs.debian.org
Subject: consolation?
Date: Thu, 23 Jul 2009 11:20:46 -0700
If it's any consolation, mimetex isn't installed by default in cgi-bin,
though moodle is a direct user.  It's not clear if moodle's existing
filtering limits this exposure or not.

-- 
Kees Cook                                            @debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@sindominio.net>:
Bug#537254; Package mimetex. (Thu, 08 Oct 2009 15:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Isaac Clerencia <isaac@sindominio.net>. (Thu, 08 Oct 2009 15:48:04 GMT) Full text and rfc822 format available.

Message #22 received at 537254@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
To: Debian Bug Tracking System <537254@bugs.debian.org>
Subject: mimetex: patch to fix security issues
Date: Thu, 08 Oct 2009 11:40:11 -0400
[Message part 1 (text/plain, inline)]
Package: mimetex
Version: 1.50-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch



*** /tmp/tmpXGbr7m
In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: arbitrary code execution via long picture, circle and
    input tags
    - mimetex.c: replace strcpy with strninit macro that uses strncpy,
      adjust some buffer sizes.
    - CVE-2009-1382
  * SECURITY UPDATE: information disclosure via input and counter tags
    - mimetex.c: disable input and counter tags.
    - CVE-2009-2459

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-11-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmpHLGf52 (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@sindominio.net>:
Bug#537254; Package mimetex. (Sat, 10 Oct 2009 11:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Isaac Clerencia <isaac@sindominio.net>. (Sat, 10 Oct 2009 11:27:05 GMT) Full text and rfc822 format available.

Message #27 received at 537254@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 537254@bugs.debian.org
Subject: NMU
Date: Sat, 10 Oct 2009 12:44:17 +0200
[Message part 1 (text/plain, inline)]
Hi,

Attached is a debdiff of the changes I made for 1.50-1.1 0-day NMU.

Cheers,
Giuseppe
[mimetex_1.50-1.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 10 Oct 2009 11:45:35 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sat, 10 Oct 2009 11:45:35 GMT) Full text and rfc822 format available.

Message #32 received at 537254-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 537254-close@bugs.debian.org
Subject: Bug#537254: fixed in mimetex 1.50-1.1
Date: Sat, 10 Oct 2009 11:02:17 +0000
Source: mimetex
Source-Version: 1.50-1.1

We believe that the bug you reported is fixed in the latest version of
mimetex, which is due to be installed in the Debian FTP archive:

mimetex_1.50-1.1.diff.gz
  to pool/main/m/mimetex/mimetex_1.50-1.1.diff.gz
mimetex_1.50-1.1.dsc
  to pool/main/m/mimetex/mimetex_1.50-1.1.dsc
mimetex_1.50-1.1_i386.deb
  to pool/main/m/mimetex/mimetex_1.50-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated mimetex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Oct 2009 12:26:58 +0200
Source: mimetex
Binary: mimetex
Architecture: source i386
Version: 1.50-1.1
Distribution: unstable
Urgency: high
Maintainer: Isaac Clerencia <isaac@sindominio.net>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 mimetex    - LaTeX math expressions to anti-aliased GIF images converter
Closes: 537254
Changes: 
 mimetex (1.50-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing Security Team.
   * mimetex.c: replace strcpy with strninit macro that uses strncpy, adjust
     some buffer sizes. (CVE-2009-1382)
   * mimetex.c: disable input and counter tags. (CVE-2009-2459)
     Thanks to Marc Deslauriers (Closes: 537254)
Checksums-Sha1: 
 1f163191d9acf7d8831bb8500b8a85d014d4a29c 952 mimetex_1.50-1.1.dsc
 fe11710f5f6edf308a396461b01380aede06d645 5299 mimetex_1.50-1.1.diff.gz
 970e458402040f49e527a82f86821ad361394087 143452 mimetex_1.50-1.1_i386.deb
Checksums-Sha256: 
 4bf0a75e154aca721700ba0c550dc6f170eb5fbaca87802aa891f6c9f83de85b 952 mimetex_1.50-1.1.dsc
 128ed5640f7dc5c9511727515cc5892509f18d12438d96485682becb0868d41c 5299 mimetex_1.50-1.1.diff.gz
 a6dbccc40292024bec0ce4e7eed4d9e2e536b9b07aed10e2914e705f51ee07b7 143452 mimetex_1.50-1.1_i386.deb
Files: 
 115f9ea7cd63bf71316521040feae503 952 utils optional mimetex_1.50-1.1.dsc
 1ce7ada1078ed7e281beafe4c8daf15a 5299 utils optional mimetex_1.50-1.1.diff.gz
 c219e39344127ac10025f623fefa47b2 143452 utils optional mimetex_1.50-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrQZDoACgkQNxpp46476aqJqQCgghLh1FQDsDaBTvz3gk3H977a
1jEAnR6HaU9dpx/INca3ioKoswu6G/OS
=uDE9
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 24 Oct 2009 20:15:07 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sat, 24 Oct 2009 20:15:08 GMT) Full text and rfc822 format available.

Message #37 received at 537254-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 537254-close@bugs.debian.org
Subject: Bug#537254: fixed in mimetex 1.50-1+etch1
Date: Sat, 24 Oct 2009 19:58:53 +0000
Source: mimetex
Source-Version: 1.50-1+etch1

We believe that the bug you reported is fixed in the latest version of
mimetex, which is due to be installed in the Debian FTP archive:

mimetex_1.50-1+etch1.diff.gz
  to pool/main/m/mimetex/mimetex_1.50-1+etch1.diff.gz
mimetex_1.50-1+etch1.dsc
  to pool/main/m/mimetex/mimetex_1.50-1+etch1.dsc
mimetex_1.50-1+etch1_i386.deb
  to pool/main/m/mimetex/mimetex_1.50-1+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated mimetex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Oct 2009 10:34:30 +0200
Source: mimetex
Binary: mimetex
Architecture: source i386
Version: 1.50-1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Isaac Clerencia <isaac@sindominio.net>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 mimetex    - LaTeX math expressions to anti-aliased GIF images converter
Closes: 537254
Changes: 
 mimetex (1.50-1+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * mimetex.c: replace strcpy with strninit macro that uses strncpy, adjust
     some buffer sizes. (CVE-2009-1382)
   * mimetex.c: disable input and counter tags. (CVE-2009-2459)
     Thanks to Marc Deslauriers (Closes: 537254)
Files: 
 4c4ac225a147438ea1bb7be1b0f65019 584 utils optional mimetex_1.50-1+etch1.dsc
 cdda954fc3a436daa8345ecbfdb084c3 401817 utils optional mimetex_1.50.orig.tar.gz
 5d3a2a06fecf83d573c8cbb9c778ddf0 5318 utils optional mimetex_1.50-1+etch1.diff.gz
 55db42c430e79ebd525679d72c8556f8 143668 utils optional mimetex_1.50-1+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrRmqkACgkQNxpp46476arm6QCeL3N/iQdVBlYHWUhMJpMVJVHa
XM8AoIRd+fH6WUArfpY01TFFMbCRgW2Z
=NTna
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Thu, 17 Dec 2009 00:18:06 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Thu, 17 Dec 2009 00:18:06 GMT) Full text and rfc822 format available.

Message #42 received at 537254-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 537254-close@bugs.debian.org
Subject: Bug#537254: fixed in mimetex 1.50-1+lenny1
Date: Thu, 17 Dec 2009 00:17:00 +0000
Source: mimetex
Source-Version: 1.50-1+lenny1

We believe that the bug you reported is fixed in the latest version of
mimetex, which is due to be installed in the Debian FTP archive:

mimetex_1.50-1+lenny1.diff.gz
  to main/m/mimetex/mimetex_1.50-1+lenny1.diff.gz
mimetex_1.50-1+lenny1.dsc
  to main/m/mimetex/mimetex_1.50-1+lenny1.dsc
mimetex_1.50-1+lenny1_i386.deb
  to main/m/mimetex/mimetex_1.50-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated mimetex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 11 Oct 2009 14:13:29 +0200
Source: mimetex
Binary: mimetex
Architecture: source i386
Version: 1.50-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Isaac Clerencia <isaac@sindominio.net>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 mimetex    - LaTeX math expressions to anti-aliased GIF images converter
Closes: 537254
Changes: 
 mimetex (1.50-1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * mimetex.c: replace strcpy with strninit macro that uses strncpy, adjust
     some buffer sizes. (CVE-2009-1382)
   * mimetex.c: disable input and counter tags. (CVE-2009-2459)
     Thanks to Marc Deslauriers (Closes: 537254)
Checksums-Sha1: 
 da5a050738098884af4897166b9a21c54b36e7a6 972 mimetex_1.50-1+lenny1.dsc
 2cfdeaee2b40ee2c89f06fc238d9b8bcf5f76dfe 5306 mimetex_1.50-1+lenny1.diff.gz
 2d4b0f0943940b834696b89a83bf6d0c789d4b72 143488 mimetex_1.50-1+lenny1_i386.deb
Checksums-Sha256: 
 c09d71501b76d6441aec91bc1fcf5329249ef5043c118176e0a082e182a4b38f 972 mimetex_1.50-1+lenny1.dsc
 e7d6275d09a30583db671dcbb4d85dc22d8445ec8a1227f076f7138d6e34ccab 5306 mimetex_1.50-1+lenny1.diff.gz
 23ca1c28f4877a358b1ab72718993600f5b5952a9270ffbd19459fc423e9296c 143488 mimetex_1.50-1+lenny1_i386.deb
Files: 
 b35272972081323cbf35a3e98aec93b9 972 utils optional mimetex_1.50-1+lenny1.dsc
 30ed565a964a379fd1759ae60f817e4b 5306 utils optional mimetex_1.50-1+lenny1.diff.gz
 3f803042c9fe34f886dfa425fc0dff29 143488 utils optional mimetex_1.50-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrRzTMACgkQNxpp46476arDWwCfQvLN/416ik/WGVY5kYybN2FQ
vecAn3DDmlrFNiW+YNX1+ucxVKdIdy9y
=z3RB
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:36:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:34:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.