First published: Fri Sep 21 2018(Updated: )
An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Tug Tex Live | <2018-09-21 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
ubuntu/texlive-bin | <2017.20170613.44572-8ubuntu0.1 | 2017.20170613.44572-8ubuntu0.1 |
ubuntu/texlive-bin | <2018.20180824.48463-1ubuntu0.1 | 2018.20180824.48463-1ubuntu0.1 |
ubuntu/texlive-bin | <2013.20130729.30972-2ubuntu0.1 | 2013.20130729.30972-2ubuntu0.1 |
ubuntu/texlive-bin | <2018.20180907.48586-2 | 2018.20180907.48586-2 |
ubuntu/texlive-bin | <2015.20160222.37495-1ubuntu0.1 | 2015.20160222.37495-1ubuntu0.1 |
debian/texlive-bin | 2020.20200327.54578-7+deb11u1 2022.20220321.62855-5.1+deb12u1 2024.20240313.70630+ds-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-17407 is a vulnerability in TeX Live that allows arbitrary code execution when a malicious font is loaded by vulnerable tools.
PDFlatex, PDFTeX, DVIPS, and LuaTeX are affected by CVE-2018-17407.
The severity of CVE-2018-17407 is high with a CVSS score of 7.8.
To fix CVE-2018-17407 in TeX Live, update to versions 2018.20181218.49446-1 or later.
Yes, you can find more information about CVE-2018-17407 at the following references: [1], [2], [3].