Debian Security Advisory

DSA-1917-1 mimetex -- several vulnerabilities

Date Reported:
24 Oct 2009
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 537254.
In Mitre's CVE dictionary: CVE-2009-1382, CVE-2009-2459.
More information:

Several vulnerabilities have been discovered in mimetex, a lightweight alternative to MathML. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2009-1382

    Chris Evans and Damien Miller, discovered multiple stack-based buffer overflow. An attacker could execute arbitrary code via a TeX file with long picture, circle, input tags.

  • CVE-2009-2459

    Chris Evans discovered that mimeTeX contained certain directives that may be unsuitable for handling untrusted user input. A remote attacker can obtain sensitive information.

For the oldstable distribution (etch), these problems have been fixed in version 1.50-1+etch1.

Due to a bug in the archive system, the fix for the stable distribution (lenny) will be released as version 1.50-1+lenny1 once it is available.

For the testing distribution (squeeze), and the unstable distribution (sid), these problems have been fixed in version 1.50-1.1.

We recommend that you upgrade your mimetex packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.