Bug 23655 - texlive new security issue CVE-2018-17407
Summary: texlive new security issue CVE-2018-17407
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-09 00:28 CEST by David Walser
Modified: 2018-10-14 02:59 CEST (History)
5 users (show)

See Also:
Source RPM: texlive-20180414-3.mga7.src.rpm
CVE:
Status comment:


Attachments
Emacs cheat sheet (19.78 KB, text/x-matlab)
2018-10-10 12:39 CEST, Len Lawrence
Details

Description David Walser 2018-10-09 00:28:17 CEST
A security issue fixed upstream in texlive has been announced:
https://www.openwall.com/lists/oss-security/2018/10/08/3

Mageia 6 is also affected.
David Walser 2018-10-09 00:28:25 CEST

Whiteboard: (none) => MGA6TOO

Marja Van Waes 2018-10-09 09:40:14 CEST

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 1 Marc Krämer 2018-10-09 16:03:08 CEST
better use this source
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-17407

They have a link to the patch, I could not find on debian tracker....


https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c
Comment 2 Marc Krämer 2018-10-09 23:47:10 CEST
Suggested advisory:
========================

Updated texlive packages fix security vulnerabilities:
A buffer overflow in the handling of Type 1 fonts allowed arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.


References:
========================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17407
https://www.openwall.com/lists/oss-security/2018/10/08/3

Updated packages in core/updates_testing:
========================
texlive-20160523-7.1.mga6
libkpathsea6-20160523-7.1.mga6
libkpathsea-devel-20160523-7.1.mga6
libkpathsea-static-devel-20160523-7.1.mga6
libtexlua5-20160523-7.1.mga6
libtexlua-devel-20160523-7.1.mga6
libtexlua-static-devel-20160523-7.1.mga6
libsynctex1-20160523-7.1.mga6
libsynctex-devel-20160523-7.1.mga6
libsynctex-static-devel-20160523-7.1.mga6
libptexenc1-20160523-7.1.mga6
libptexenc-devel-20160523-7.1.mga6
libptexenc-static-devel-20160523-7.1.mga6
texlive-debuginfo-20160523-7.1.mga6

Source RPMs:
texlive-20160523-7.1.mga6.src.rpm

Assignee: mageia => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 David Walser 2018-10-09 23:53:20 CEST
Debian has issued an advisory for this on September 21:
https://www.debian.org/security/2018/dsa-4299

CC: (none) => mageia

Comment 4 Len Lawrence 2018-10-10 11:22:45 CEST
Before updating installed all the packages, except the debug-info.
It seemed worth trying to familiarize myself with the utilities before updating, so...

$ luatex refcard.tex refcard.pdf
Failed because luatex.fmt was missing.  Found command to generate it:

$ luatex -ini luatex.ini
Failed because luatex.ini was missing.
$ cp /usr/share/texmf-dist/tex/generic/tex-ini-files/luatex.ini

$ luatex -ini luatex.ini
Failed because load-unicode-data.tex is missing.
Downloaded that from mirrors.ibiblio.org/CTAN/macros/generic/unicode-data/load-unicode-data.tex.

$ luatex -ini luatex.ini
This is LuaTeX, Version 0.95.0 (TeX Live 2016/Mageia)  (INITEX)
 restricted system commands enabled.
(./luatex.ini (/usr/share/texmf-dist/tex/generic/tex-ini-files/luatexconfig.tex
(/usr/share/texmf-dist/tex/generic/config/pdftexconfig.tex))
(/usr/share/texmf-dist/tex/generic/config/luatexiniconfig.tex)
(./load-unicode-data.tex 
load-unicode-data.tex v1.7 (2018-06-09)
Reading Unicode data
# UnicodeData-11.0.0.txt
# Downloaded 2018-06-09 06:00:00 GMT [JAW]
) (/usr/share/texmf-dist/tex/plain/etex/etex.src
(/usr/share/texmf-dist/tex/plain/base/plain.tex
Preloading the plain format: codes, registers, parameters, fonts, more fonts,
! Font \preloaded=manfnt not loadable: metric data not found or bad.
<to be read again> 
\par 
l.468 
    
? 
Ctrl-D

Don't know where to go with this but shall try out the other commands.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-10-10 11:35:16 CEST
Before update:

$ pdftex refcard.tex
$ pdftex refcard.tex
This is pdfTeX, Version 3.14159265-2.6-1.40.17 (TeX Live 2016/Mageia) (preloaded format=pdftex)
 restricted \write18 enabled.

kpathsea: Running mktexfmt pdftex.fmt
mktexfmt: mktexfmt is using the following fmtutil.cnf files (in precedence order):
mktexfmt:   /usr/share/texmf-dist/web2c/fmtutil.cnf
mktexfmt: mktexfmt is using the following fmtutil.cnf file for writing changes:
mktexfmt:   /home/lcl/.texlive2013/texmf-config/web2c/fmtutil.cnf
mktexfmt [INFO]: writing formats under /home/lcl/.texlive2013/texmf-var/web2c
mktexfmt [INFO]: --- remaking pdftex with pdftex
mktexfmt: running `pdftex -ini   -jobname=pdftex -progname=pdftex -translate-file=cp227.tcx *pdfetex.ini' ...
[...]
kpathsea: Running mktexmf manfnt
! I can't find file `manfnt'.
<*> ...:=ljfour; mag:=1; nonstopmode; input manfnt
                                                  
Please type another input file name
! Emergency stop.
<*> ...:=ljfour; mag:=1; nonstopmode; input manfnt
[...]                                                  
? 
! Emergency stop.
<to be read again> 
                   \par 
l.468 
      
!  ==> Fatal error occurred, no output PDF file produced!
[...]
I can't find the format file `pdftex.fmt'!

Looks like there is something very wrong here - no idea what.
Comment 6 Marc Krämer 2018-10-10 12:27:16 CEST
where does this file refcard.tex come from?
Looks like it searches a font. Maybe you have to run mktexlsr (as root), which will update this structure. This is enhanced in cauldron, but I don't want to push all these fixes and changes to mga6. In mga6, I just want to fix this security issue ;)
Comment 7 Len Lawrence 2018-10-10 12:37:15 CEST
In reply to Marc in comment #6:

refcard.tex is a specimen that I have had hanging around for ages.  I do not know its provenance but would guess that it was originally generated from refcard.pdf and that would have been downloaded from the net at some time.  

See attachment.  It means very little to me - over 30 years since I used LaTeX in production.
Comment 8 Len Lawrence 2018-10-10 12:39:11 CEST
Created attachment 10396 [details]
Emacs cheat sheet
Comment 9 Len Lawrence 2018-10-10 12:52:42 CEST
I also checked a tex file picked at random from the system files:
/usr/share/texmf-dist/tex/plain/base/fontchart.tex

No result with that either.

# mktexlsr
mktexlsr: Updating /etc/texmf/ls-R... 
mktexlsr: Updating /usr/share/texmf-dist/ls-R... 
mktexlsr: Updating /usr/share/texmf-local/ls-R... 
mktexlsr: Updating /var/lib/texmf/ls-R... 
mktexlsr: Done.

That did not help.
I shall update the packages when they hit the mirrors.
Comment 10 Marc Krämer 2018-10-10 13:04:59 CEST
I still use tex for presentations, and my latest presentation still "compiles".
The documentation from emacs, your file or /usr/share/emacs/24.5/etc/refcards does not. 

(./pdflayout.sty (/usr/share/texmf-dist/tex/generic/oberdiek/ifpdf.sty

LaTeX Warning: You have requested package `',
               but the package provides `ifpdf'.
)) (./emacsver.tex) [3 columns per page]
! Undefined control sequence.
l.156     \nopagenumbers


=> it looks like one of them has some incompatible changes.

e.g.
pdflatex /usr/share/texmf-dist/tex/latex/beamer/emulation/examples/beamerexample-foils.tex

or
pdflatex /usr/share/texmf-dist/./tex/latex/base/testpage.tex

should work.
Comment 11 Len Lawrence 2018-10-10 13:36:35 CEST
Before updating I had to rectify something.  All the libraries installed were 32-bit - failed to notice earlier.  Been alive too long!  Installed the 64-bit libraries and ran the update.

pdftex fails but 
$ luatex refcard.tex refcard.pdf
succeeded in generating a readable PDF file.
$ pdftex fontchart.tex 
Failed  with the message "I can't find the format file `pdftex.fmt'!"

Ran mktexlsr again as well but it did not help.

$ pdflatex /usr/share/texmf-dist/./tex/latex/base/testpage.tex
That did work.  Can read testpage.pdf.  Thanks Marc.

The other example worked as well.  The beamerexample-foils.pdf contains a four-page slideshow.

luatex has problems with the beamer file and stops on a whole series of undefined control sequences, starting with:
! Undefined control sequence.
l.22 \documentclass
                 {beamer}

So I guess you really need to know what you are doing with this stuff.  On the whole it looks like it works.

I shall give this the OK if you would confirm that this is enough testing Marc.
Comment 12 Marc Krämer 2018-10-10 13:40:52 CEST
yep, that looks quite good to me, afaik luatex is broken in mga6. At least we are in the same shape as before the update :)
Len Lawrence 2018-10-11 01:08:47 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK

Thomas Backlund 2018-10-14 01:57:01 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 13 Mageia Robot 2018-10-14 02:59:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0397.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.