CVE-2011-0433

Name of the Vulnerable Software and Affected Versions texlive-debuginfo-2007 version 2007 texlive-dviutils-2007 version 2007 texlive-context-2007 version 2007 texlive-utils-2007 version 2007 texlive-2007 version 2007 t1lib (affected versions not specified) texlive-xetex-2007 version 2007 mendexk-2.6e version 2.6e texlive-dvips-2007 version 2007 texlive-latex-2007 version 2007 texlive-afm-2007 version 2007 kpathsea-2007 version 2007 kpathsea-devel-2007 version 2007 texlive-east-asian-2007 version 2007

Description The issue is related to multiple vulnerabilities in various packages of the texlive and t1lib software, which can lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A heap-based buffer overflow in the linetoken function in afmparse.c in t1lib allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics file.

Recommendations For texlive-debuginfo-2007 version 2007, update to a newer version. For texlive-dviutils-2007 version 2007, update to a newer version. For texlive-context-2007 version 2007, update to a newer version. For texlive-utils-2007 version 2007, update to a newer version. For texlive-2007 version 2007, update to a newer version. For t1lib, update to a newer version. For texlive-xetex-2007 version 2007, update to a newer version. For mendexk-2.6e version 2.6e, update to a newer version. For texlive-dvips-2007 version 2007, update to a newer version. For texlive-latex-2007 version 2007, update to a newer version. For texlive-afm-2007 version 2007, update to a newer version. For kpathsea-2007 version 2007, update to a newer version. For kpathsea-devel-2007 version 2007, update to a newer version. For texlive-east-asian-2007 version 2007, update to a newer version. As a temporary workaround, consider disabling the vulnerable functions until a patch is available. Restrict access to the vulnerable modules to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.