Hello Hilmar, Yes, version 1.74 is not affected because I think the vulnerable feature was added in 1.76. (or 1.75, I can’t find the source code of 1.75 so I can’t make sure of it)
There is a comment [1] that stated that he contacted the author John, and he said version 1.75 in the source code is just a mistake, it’s indeed version 1.77. About the article you mentioned from cve[.]news, I checked it and found it’s totally nonsense, since: 1. The vulnerable code it mentioned even doesn’t exist in MimeTex 2. It’s not a valid PoC 3. It can’t even distinguish the vulnerability type Therefore, I highly suspect that it’s just an AI-generated article and can’t be a useful reference. Since I don’t want to expose too much information to public about the exploit, I will send you another email in private about information of exploit. Best regards, TaiYou [1] https://tracker.moodle.org/browse/MDL-70769?focusedId=844397&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-844397 > On May 8, 2025, at 23:51, Hilmar Preuße <hill...@web.de> wrote: > > On 21.04.25 18:57, TaiYou wrote: > > Hello, > >> A code injection vulnerability has been identified in MimeTeX, >> affecting version 1.76-1 and above. This issue has been assigned >> CVE-2024-40446. > Are you sure that 1.76 and above is affected? I would rather think 1.76 and > below is affected. > > Until now I did find anywhere a piece of code, which clearly states to be the > source code of mimetex 1.77. The source code in [1] states to be version > 1.75, the binaries (at least that one for ARM64) states to be version 1.77, > so the attached source code does not match to the binaries. > > To check the binaries built form the source code in [1] I built a test bed on > my web server [2]. On [3] I found more details about the exploit and how to > use it. The source code in my test page is > > <p><img src="/cgi-bin/mimetex.cgi?\input{/etc/passwd}"></p> > <p><img src="/cgi-bin/mimetex1.cgi?\input{/etc/passwd}"></p> > <p><img src="/cgi-bin/mimetex2.cgi?\input{/etc/passwd}"></p> > > As you can see, my /etc/passwd ist not displayed. > > - mimetex.cgi is the official Debian package > - mimetex1.cgi is the binary I built from the code on [1] > - mimetex2.cgi is the binary for ARM64 I downloaded from [1] > > Into the web page I copied the code from [4], so anybody can enter LaTeX code > to be rendered by mimetex, but for obvious reasons, the code is commented. > > Could you go more into detail, how the exploit looks like? > > Thanks, > Hilmar > > [1] https://tracker.moodle.org/browse/MDL-70769 > [2] http://rasppi3.hilmar-preusse.de/~hille/mimetex.html > [3] https://www.cve.news/cve-2024-40446/ > [4] https://ctan.math.washington.edu/tex-archive/support/mimetex/mimetex.html > -- > Testmail >
