Your message dated Sat, 17 May 2025 16:16:33 +0200
with message-id <c8095326-7234-4b92-8d24-b95925796...@web.de>
and subject line Re: Bug#1105117: Processed: retitle 1103801 to mimetex:
CVE-2024-40445 CVE-2024-40446
has caused the Debian Bug report #1105117,
regarding CVE-2024-40445: Directory Traversal
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105117: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105117
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mimetex
Version: 1.76-1
Severity: important
Dear Maintainer,
A code injection vulnerability has been identified in MimeTeX, affecting
version 1.76-1 and above. This issue has been assigned CVE-2024-40446.
When operating in command-line or CGI mode, specially crafted input can trigger
unintended command execution due to unsafe parsing. The issue arises from the
incorrect handling of user-supplied input during expression parsing.
* What led up to the situation?
While evaluating the security posture of web applications relying on dynamic
LaTeX rendering, this vulnerability was discovered in the underlying MimeTeX
binary.
* What exactly did you do (or not do) that was effective (or ineffective)?
Testing was performed with benign but malformed LaTeX input, which led to
unexpected execution behavior. Further analysis confirmed the input was being
evaluated in a way that allowed for arbitrary code execution.
* What was the outcome of this action?
A proof of concept confirmed the ability to execute commands supplied via
crafted LaTeX input in environments where MimeTeX is exposed to untrusted input
(such as via CGI).
* What outcome did you expect instead?
Input should be treated as data and not lead to code execution under any
circumstances.
As MimeTeX appears to be unmaintained upstream, and the impact of this
vulnerability includes remote code execution, it is recommended to consider
removing the package from Debian, or at minimum, disabling CGI support or
sandboxing the binary in its current form.
CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40446
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'),
(100, 'jammy-backports')
Architecture: arm64 (aarch64)
Kernel: Linux 6.11.3-200.fc40.aarch64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages mimetex depends on:
ii libc6 2.35-0ubuntu3.9
mimetex recommends no packages.
mimetex suggests no packages.
--- End Message ---
--- Begin Message ---
On 17.05.25 07:18, Salvatore Bonaccorso wrote:
Hello Salvatore,
Yes, I was hoping you have more specific technical details giving a
base for that. But I guess we have taken this as given, so I have
updated the tracker.
Thanks a lot for your work,
The only thing I "technically" have are the two Youtube videos, which
are linked e.g. on the github advisory [1]. Unfortunately they are
private, you have to ask the author = (the submitter of this bug) to
share it.
Anyway: I close that bug now. The bug for CVE-2024-40446 remains open.
Hilmar
[1] https://github.com/advisories/GHSA-4qhj-jmx7-8mr8
--
Testmail
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
