Package: mimetex Version: 1.76-1 Severity: important Dear Maintainer,
A code injection vulnerability has been identified in MimeTeX, affecting version 1.76-1 and above. This issue has been assigned CVE-2024-40446. When operating in command-line or CGI mode, specially crafted input can trigger unintended command execution due to unsafe parsing. The issue arises from the incorrect handling of user-supplied input during expression parsing. * What led up to the situation? While evaluating the security posture of web applications relying on dynamic LaTeX rendering, this vulnerability was discovered in the underlying MimeTeX binary. * What exactly did you do (or not do) that was effective (or ineffective)? Testing was performed with benign but malformed LaTeX input, which led to unexpected execution behavior. Further analysis confirmed the input was being evaluated in a way that allowed for arbitrary code execution. * What was the outcome of this action? A proof of concept confirmed the ability to execute commands supplied via crafted LaTeX input in environments where MimeTeX is exposed to untrusted input (such as via CGI). * What outcome did you expect instead? Input should be treated as data and not lead to code execution under any circumstances. As MimeTeX appears to be unmaintained upstream, and the impact of this vulnerability includes remote code execution, it is recommended to consider removing the package from Debian, or at minimum, disabling CGI support or sandboxing the binary in its current form. CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40446 -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: arm64 (aarch64) Kernel: Linux 6.11.3-200.fc40.aarch64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages mimetex depends on: ii libc6 2.35-0ubuntu3.9 mimetex recommends no packages. mimetex suggests no packages.
