Bug 17164

Summary: latex2rtf new security issue CVE-2015-8106
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/665241/
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory
Source RPM: latex2rtf-2.3.8-3.mga5.src.rpm CVE:
Status comment:
Attachments: PoC test file for latex2rtf
Corrected test file
RTF output file from latex2rtf

Description David Walser 2015-11-17 17:29:40 CET 
A security issue in latex2rtf was announced on November 16:
http://openwall.com/lists/oss-security/2015/11/16/3

The message above includes a PoC (see Step 4).

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated latex2rtf package fixes security vulnerability:

A format string vulnerability was found in CmdKeywords function when processing
\keywords command in tex file. When the user runs latex2rtf with malicious
crafted tex file, an attacker can execute arbitrary code. The variable
`keywords' in the function CmdKeywords may hold a malicious input string, which
can be used as a format argument of vsnprintf (CVE-2015-8106).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8106
http://openwall.com/lists/oss-security/2015/11/16/3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8106
========================

Updated packages in core/updates_testing:
========================
latex2rtf-2.3.8-3.1.mga5

from latex2rtf-2.3.8-3.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-11-17 17:29:49 CET

Whiteboard: (none) => has_procedure

Comment 1 Len Lawrence 2015-11-17 20:49:02 CET 
Created attachment 7205 [details]
PoC test file for latex2rtf

CC: (none) => tarazed25

Comment 2 Len Lawrence 2015-11-17 20:50:15 CET 
mga5  x86_64  Mate/tcsh

$ cat exploit.tex
\documentclass{article}
\begin{document}
\title{Exploitable}
\author{Jong-Gwon Kim}
\keywords{%x\%n\%n\%n}
\end{document}

That was cut and pasted from the Openwall page linked above.

$ sudo urpmi latex
Package texlive-20130530-21.mga5.x86_64 is already installed
$ sudo urpmi latex2rtf
Package latex2rtf-2.3.8-3.mga5.x86_64 is already installed

After the "latex2rtf exploit.tex" command reported that it could not find the config directory and specifically direct.cfg, I had to create /usr/local/etc/directcfg and copy the contents of /etc/directcfg to it.  Fiddling with environment variable had done no good.
$ latex2rtf exploit.tex
exploit.tex:4   Could not find closing '}' in 5000 chars

???

Installed latex2rtf-2.3.8-3.1.mga5.x86_64
$ latex2rtf exploit.tex
exploit.tex:4   Could not find closing '}' in 5000 chars
$ latex2rtf -v
latex2rtf 2.3.8 r1240 (released June 16 2014)

What have I missed?
Comment 3 Len Lawrence 2015-11-17 20:53:15 CET 
Finger trouble |-(

That should be /etc/latex2rtf (not /etc/directcfg)
Comment 4 Len Lawrence 2015-11-17 21:11:26 CET 
Found a syntax error in the original file.  Correction uploaded above with the rtf output.
$ latex2rtf exploit.tex


$
Need to check pre-update PoC in an i586 vbox.
Comment 5 Len Lawrence 2015-11-17 21:13:17 CET 
Created attachment 7206 [details]
Corrected test file
Comment 6 Len Lawrence 2015-11-17 21:15:23 CET 
Created attachment 7207 [details]
RTF output file from latex2rtf

After update.
Len Lawrence 2015-11-17 21:16:53 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 7 Len Lawrence 2015-11-17 22:17:46 CET 
Repeated the pre-update  procedure for i586 and registered a segmentation fault on
$ latex2rtf exploit.tex

The testing update does not seem to have reached the 32bit mirrors at least not via MIRRORLIST so I downloaded it from http://distrib-coffee.ipsl.jussieu.fr and installed it from the local RPM.

Ran the command again, as above and generated the exploit.rtf file.
$ ls -l exploit.rtf
-rw-r--r-- 1 lcl lcl 4498 Nov 17 21:11 exploit.rtf

So good for i586.
The only quibble I have is that on x86_64 I could not get the program to read the environment variable I had set for the config directory and nor would it work through a command line parameter.  /usr/local is not the Mageia way, is it?
Len Lawrence 2015-11-17 22:18:25 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Comment 8 Len Lawrence 2015-11-17 22:20:30 CET 
Leaving out the validation until someone confirms that it is OK to run with /usr/local.
It would need a bug report if there is some objection.
Comment 9 Len Lawrence 2015-11-17 22:33:06 CET 
OK - takes foot out of mouth...

$ latex2rtf -P /etc/latex2rtf exploit.tex

That worked fine.
I had misinterpreted the instruction and added /direct.cfg to the path.
Len Lawrence 2015-11-17 22:33:44 CET

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK validated_update

Comment 10 David Walser 2015-11-17 22:45:38 CET 
Thanks Len, nice work!

Note that validated_update goes in the Keywords line, not the whiteboard.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK validated_update => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2015-11-18 19:00:11 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2015-11-19 17:12:16 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

Comment 11 Mageia Robot 2015-11-19 23:09:24 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0453.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-11-20 18:11:56 CET

URL: (none) => http://lwn.net/Vulnerabilities/665241/

Comment 12 David Walser 2015-11-20 18:45:20 CET 
Duplicate LWN entry, we'll see which they keep:
http://lwn.net/Vulnerabilities/665240/