Bug#1061520: marked as done (mathtex: CVE-2023-51885 CVE-2023-51886 CVE-2023-51887 CVE-2023-51888 CVE-2023-51889 CVE-2023-51890)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#1061520: marked as done (mathtex: CVE-2023-51885 CVE-2023-51886 CVE-2023-51887 CVE-2023-51888 CVE-2023-51889 CVE-2023-51890)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 11 Nov 2024 17:42:03 +0000
Message-id: <[🔎] handler.1061520.D1061520.17313468122938989.ackdone@bugs.debian.org>
Reply-to: 1061520@bugs.debian.org
References: <[🔎] E1tAYOW-002Iiy-CU@fasolo.debian.org> <170621627644.1730791.16428458221793668870.reportbug@eldamar.lan>

Your message dated Mon, 11 Nov 2024 17:40:08 +0000
with message-id <[🔎] E1tAYOW-002Iiy-CU@fasolo.debian.org>
and subject line Bug#1086301: Removed package(s) from unstable
has caused the Debian Bug report #1061520,
regarding mathtex: CVE-2023-51885 CVE-2023-51886 CVE-2023-51887 CVE-2023-51888 CVE-2023-51889 CVE-2023-51890
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061520: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061520
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mathtex: CVE-2023-51885 CVE-2023-51886 CVE-2023-51887 CVE-2023-51888 CVE-2023-51889 CVE-2023-51890
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 25 Jan 2024 21:57:56 +0100
Message-id: <170621627644.1730791.16428458221793668870.reportbug@eldamar.lan>

Source: mathtex
Version: 1.03-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for mathtex.

CVE-2023-51885[0]:
| Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a
| remote attacker to execute arbitrary code via the length of the
| LaTeX string component.


CVE-2023-51886[1]:
| Buffer Overflow vulnerability in the main() function in Mathtex 1.05
| and before allows a remote attacker to cause a denial of service
| when using \convertpath.


CVE-2023-51887[2]:
| Command Injection vulnerability in Mathtex v.1.05 and before allows
| a remote attacker to execute arbitrary code via crafted string in
| application URL.


CVE-2023-51888[3]:
| Buffer Overflow vulnerability in the nomath() function in Mathtex
| v.1.05 and before allows a remote attacker to cause a denial of
| service via a crafted string in the application URL.


CVE-2023-51889[4]:
| Stack Overflow vulnerability in the validate() function in Mathtex
| v.1.05 and before allows a remote attacker to execute arbitrary code
| via crafted string in the application URL.


CVE-2023-51890[5]:
| An infinite loop issue discovered in Mathtex 1.05 and before allows
| a remote attackers to consume CPU resources via crafted string in
| the application URL.

[6] contains the "fuzzing mathtex" report.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-51885
    https://www.cve.org/CVERecord?id=CVE-2023-51885
[1] https://security-tracker.debian.org/tracker/CVE-2023-51886
    https://www.cve.org/CVERecord?id=CVE-2023-51886
[2] https://security-tracker.debian.org/tracker/CVE-2023-51887
    https://www.cve.org/CVERecord?id=CVE-2023-51887
[3] https://security-tracker.debian.org/tracker/CVE-2023-51888
    https://www.cve.org/CVERecord?id=CVE-2023-51888
[4] https://security-tracker.debian.org/tracker/CVE-2023-51889
    https://www.cve.org/CVERecord?id=CVE-2023-51889
[5] https://security-tracker.debian.org/tracker/CVE-2023-51890
    https://www.cve.org/CVERecord?id=CVE-2023-51890
[6] https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 568931-done@bugs.debian.org,838712-done@bugs.debian.org,1061520-done@bugs.debian.org,1086390-done@bugs.debian.org,1049921-done@bugs.debian.org,1086506-done@bugs.debian.org,

Cc: mathtex@packages.debian.org

Subject: Bug#1086301: Removed package(s) from unstable

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Date: Mon, 11 Nov 2024 17:40:08 +0000

Message-id: <[🔎] E1tAYOW-002Iiy-CU@fasolo.debian.org>
Version: 1.03-3+rm

Dear submitter,

as the package mathtex has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1086301

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---

Reply to:

References:
- Bug#1086301: Removed package(s) from unstable
  - From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Prev by Date: Bug#1085447: Removed package(s) from unstable
Next by Date: Bug#838712: marked as done (mathtex dvipng-related error Debian 8 (Jessie))
Previous by thread: Bug#1086301: Removed package(s) from unstable
Next by thread: Bug#838712: marked as done (mathtex dvipng-related error Debian 8 (Jessie))
Index(es):
- Date
- Thread