CVE-2018-17407: Buffer Overflow
Published Sep 21, 2018
·Updated
An issue was discovered in t1checkunusualcharstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.
Affected Software
8 affected componentsFixes available
Tug Tex Live<2018-09-21
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=18.10
Debian Debian Linux=8.0
Debian Debian Linux=9.0
debian/texlive-bin
2020.20200327.54578-7+deb11u12020.20200327.54578-7+deb11u22022.20220321.62855-5.1+deb12u22024.20240313.70630+ds-62025.20250727.75242+ds-5
Remediation
Event History
Sep 21, 2018
Data Sourced
02:51 PM
SeverityAffected Software
Sep 23, 2018
CVE Published
via MITRE·09:00 PM
Data Sourced
via MITRE·09:00 PM
Description
Data Sourced
via NVD·09:29 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·10:54 PM
Description
Feb 18, 2026
Data Sourced
via Ubuntu·11:09 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Debian·11:09 PM
DescriptionAffected Software
Frequently Asked Questions
1
What is CVE-2018-17407?
CVE-2018-17407 is a vulnerability in TeX Live that allows arbitrary code execution when a malicious font is loaded by vulnerable tools.
2
Which software is affected by CVE-2018-17407?
PDFlatex, PDFTeX, DVIPS, and LuaTeX are affected by CVE-2018-17407.
3
What is the severity of CVE-2018-17407?
The severity of CVE-2018-17407 is high with a CVSS score of 7.8.
4
How can I fix CVE-2018-17407 in TeX Live?
To fix CVE-2018-17407 in TeX Live, update to versions 2018.20181218.49446-1 or later.
5
Are there any references for CVE-2018-17407?
Yes, you can find more information about CVE-2018-17407 at the following references: [1], [2], [3].