A security issue in latex2rtf was announced on November 16: http://openwall.com/lists/oss-security/2015/11/16/3 The message above includes a PoC (see Step 4). Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated latex2rtf package fixes security vulnerability: A format string vulnerability was found in CmdKeywords function when processing \keywords command in tex file. When the user runs latex2rtf with malicious crafted tex file, an attacker can execute arbitrary code. The variable `keywords' in the function CmdKeywords may hold a malicious input string, which can be used as a format argument of vsnprintf (CVE-2015-8106). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8106 http://openwall.com/lists/oss-security/2015/11/16/3 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8106 ======================== Updated packages in core/updates_testing: ======================== latex2rtf-2.3.8-3.1.mga5 from latex2rtf-2.3.8-3.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure
Created attachment 7205 [details] PoC test file for latex2rtf
CC: (none) => tarazed25
mga5 x86_64 Mate/tcsh $ cat exploit.tex \documentclass{article} \begin{document} \title{Exploitable} \author{Jong-Gwon Kim} \keywords{%x\%n\%n\%n} \end{document} That was cut and pasted from the Openwall page linked above. $ sudo urpmi latex Package texlive-20130530-21.mga5.x86_64 is already installed $ sudo urpmi latex2rtf Package latex2rtf-2.3.8-3.mga5.x86_64 is already installed After the "latex2rtf exploit.tex" command reported that it could not find the config directory and specifically direct.cfg, I had to create /usr/local/etc/directcfg and copy the contents of /etc/directcfg to it. Fiddling with environment variable had done no good. $ latex2rtf exploit.tex exploit.tex:4 Could not find closing '}' in 5000 chars ??? Installed latex2rtf-2.3.8-3.1.mga5.x86_64 $ latex2rtf exploit.tex exploit.tex:4 Could not find closing '}' in 5000 chars $ latex2rtf -v latex2rtf 2.3.8 r1240 (released June 16 2014) What have I missed?
Finger trouble |-( That should be /etc/latex2rtf (not /etc/directcfg)
Found a syntax error in the original file. Correction uploaded above with the rtf output. $ latex2rtf exploit.tex $ Need to check pre-update PoC in an i586 vbox.
Created attachment 7206 [details] Corrected test file
Created attachment 7207 [details] RTF output file from latex2rtf After update.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Repeated the pre-update procedure for i586 and registered a segmentation fault on $ latex2rtf exploit.tex The testing update does not seem to have reached the 32bit mirrors at least not via MIRRORLIST so I downloaded it from http://distrib-coffee.ipsl.jussieu.fr and installed it from the local RPM. Ran the command again, as above and generated the exploit.rtf file. $ ls -l exploit.rtf -rw-r--r-- 1 lcl lcl 4498 Nov 17 21:11 exploit.rtf So good for i586. The only quibble I have is that on x86_64 I could not get the program to read the environment variable I had set for the config directory and nor would it work through a command line parameter. /usr/local is not the Mageia way, is it?
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Leaving out the validation until someone confirms that it is OK to run with /usr/local. It would need a bug report if there is some objection.
OK - takes foot out of mouth... $ latex2rtf -P /etc/latex2rtf exploit.tex That worked fine. I had misinterpreted the instruction and added /direct.cfg to the path.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK validated_update
Thanks Len, nice work! Note that validated_update goes in the Keywords line, not the whiteboard.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK validated_update => has_procedure MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0453.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/665241/
Duplicate LWN entry, we'll see which they keep: http://lwn.net/Vulnerabilities/665240/