On 21.04.25 18:57, TaiYou wrote: Hello,
Are you sure that 1.76 and above is affected? I would rather think 1.76 and below is affected.A code injection vulnerability has been identified in MimeTeX, affecting version 1.76-1 and above. This issue has been assigned CVE-2024-40446.
Until now I did find anywhere a piece of code, which clearly states to be the source code of mimetex 1.77. The source code in [1] states to be version 1.75, the binaries (at least that one for ARM64) states to be version 1.77, so the attached source code does not match to the binaries.
To check the binaries built form the source code in [1] I built a test bed on my web server [2]. On [3] I found more details about the exploit and how to use it. The source code in my test page is
<p><img src="/cgi-bin/mimetex.cgi?\input{/etc/passwd}"></p>
<p><img src="/cgi-bin/mimetex1.cgi?\input{/etc/passwd}"></p>
<p><img src="/cgi-bin/mimetex2.cgi?\input{/etc/passwd}"></p>
As you can see, my /etc/passwd ist not displayed.
- mimetex.cgi is the official Debian package
- mimetex1.cgi is the binary I built from the code on [1]
- mimetex2.cgi is the binary for ARM64 I downloaded from [1]
Into the web page I copied the code from [4], so anybody can enter LaTeX
code to be rendered by mimetex, but for obvious reasons, the code is
commented.
Could you go more into detail, how the exploit looks like? Thanks, Hilmar [1] https://tracker.moodle.org/browse/MDL-70769 [2] http://rasppi3.hilmar-preusse.de/~hille/mimetex.html [3] https://www.cve.news/cve-2024-40446/[4] https://ctan.math.washington.edu/tex-archive/support/mimetex/mimetex.html
-- Testmail
OpenPGP_signature.asc
Description: OpenPGP digital signature
