ID CVE-2010-2643
Summary Integer overflow in the TFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:evince:2.31.92
    cpe:2.3:a:redhat:evince:2.31.92
  • cpe:2.3:a:redhat:evince:2.32
    cpe:2.3:a:redhat:evince:2.32
  • cpe:2.3:a:redhat:evince:2.31.4.1
    cpe:2.3:a:redhat:evince:2.31.4.1
  • cpe:2.3:a:redhat:evince:2.31.6
    cpe:2.3:a:redhat:evince:2.31.6
  • cpe:2.3:a:redhat:evince:2.31.6.1
    cpe:2.3:a:redhat:evince:2.31.6.1
  • cpe:2.3:a:redhat:evince:2.31.90
    cpe:2.3:a:redhat:evince:2.31.90
  • cpe:2.3:a:redhat:evince:2.31.4
    cpe:2.3:a:redhat:evince:2.31.4
  • cpe:2.3:a:redhat:evince:2.30.3
    cpe:2.3:a:redhat:evince:2.30.3
  • cpe:2.3:a:redhat:evince:2.30.2
    cpe:2.3:a:redhat:evince:2.30.2
  • cpe:2.3:a:redhat:evince:2.31.2
    cpe:2.3:a:redhat:evince:2.31.2
  • cpe:2.3:a:redhat:evince:2.31.1
    cpe:2.3:a:redhat:evince:2.31.1
  • cpe:2.3:a:redhat:evince:2.29.92
    cpe:2.3:a:redhat:evince:2.29.92
  • cpe:2.3:a:redhat:evince:2.31
    cpe:2.3:a:redhat:evince:2.31
  • cpe:2.3:a:redhat:evince:2.30
    cpe:2.3:a:redhat:evince:2.30
  • cpe:2.3:a:redhat:evince:2.29
    cpe:2.3:a:redhat:evince:2.29
  • cpe:2.3:a:redhat:evince:2.28
    cpe:2.3:a:redhat:evince:2.28
  • cpe:2.3:a:redhat:evince:2.27
    cpe:2.3:a:redhat:evince:2.27
  • cpe:2.3:a:redhat:evince:2.26
    cpe:2.3:a:redhat:evince:2.26
  • cpe:2.3:a:redhat:evince:2.25
    cpe:2.3:a:redhat:evince:2.25
  • cpe:2.3:a:redhat:evince:2.24
    cpe:2.3:a:redhat:evince:2.24
  • cpe:2.3:a:redhat:evince:2.23
    cpe:2.3:a:redhat:evince:2.23
  • cpe:2.3:a:redhat:evince:2.21
    cpe:2.3:a:redhat:evince:2.21
  • cpe:2.3:a:redhat:evince:2.22
    cpe:2.3:a:redhat:evince:2.22
  • cpe:2.3:a:redhat:evince:2.19
    cpe:2.3:a:redhat:evince:2.19
  • cpe:2.3:a:redhat:evince:2.20
    cpe:2.3:a:redhat:evince:2.20
  • cpe:2.3:a:redhat:evince:0.8
    cpe:2.3:a:redhat:evince:0.8
  • cpe:2.3:a:redhat:evince:0.9
    cpe:2.3:a:redhat:evince:0.9
  • cpe:2.3:a:redhat:evince:0.6
    cpe:2.3:a:redhat:evince:0.6
  • cpe:2.3:a:redhat:evince:0.7
    cpe:2.3:a:redhat:evince:0.7
  • cpe:2.3:a:redhat:evince:0.4
    cpe:2.3:a:redhat:evince:0.4
  • cpe:2.3:a:redhat:evince:0.5
    cpe:2.3:a:redhat:evince:0.5
  • cpe:2.3:a:redhat:evince:0.2
    cpe:2.3:a:redhat:evince:0.2
  • cpe:2.3:a:redhat:evince:0.3
    cpe:2.3:a:redhat:evince:0.3
  • cpe:2.3:a:redhat:evince:0.1
    cpe:2.3:a:redhat:evince:0.1
CVSS
Base: 7.6 (as of 10-01-2011 - 08:54)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-005.NASL
    description Multiple vulnerabilities has been found and corrected in evince : Array index error in the PK and VF font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2640, CVE-2010-2641). Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2642). Integer overflow in the TFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2643). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 51797
    published 2011-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51797
    title Mandriva Linux Security Advisory : evince (MDVSA-2011:005)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_EVINCE-110105.NASL
    description Multiple font parser vulnerabilities in the DVI backend of evince have been fixed. CVE-2010-2640 - CVE-2010-2643 have been assigned to these issues.
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 51599
    published 2011-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51599
    title SuSE 11.1 Security Update : evince (SAT Patch Number 3769)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2357.NASL
    description Jon Larimer from IBM X-Force Advanced Research discovered multiple vulnerabilities in the DVI backend of the Evince document viewer : - CVE-2010-2640 Insufficient array bounds checks in the PK fonts parser could lead to function pointer overwrite, causing arbitrary code execution. - CVE-2010-2641 Insufficient array bounds checks in the VF fonts parser could lead to function pointer overwrite, causing arbitrary code execution. - CVE-2010-2642 Insufficient bounds checks in the AFM fonts parser when writing data to a memory buffer allocated on heap could lead to arbitrary memory overwrite and arbitrary code execution. - CVE-2010-2643 Insufficient check on an integer used as a size for memory allocation can lead to arbitrary write outside the allocated range and cause arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 56999
    published 2011-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56999
    title Debian DSA-2357-1 : evince - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0009.NASL
    description Updated evince packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Evince is a document viewer. An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2640, CVE-2010-2641) A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2642) An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2643) Note: The above issues are not exploitable unless an attacker can trick the user into installing a malicious font file. Red Hat would like to thank the Evince development team for reporting these issues. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter of these issues. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 51432
    published 2011-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51432
    title RHEL 6 : evince (RHSA-2011:0009)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-0208.NASL
    description - Thu Jan 6 2011 Marek Kasik - 2.32.0-3 - Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 - Resolves: #667573 - Mon Nov 22 2010 Marek Kasik - 2.32.0-2 - Fix crash in clear_job_selection() - Remove unused patch - Resolves: #647689 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 51445
    published 2011-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51445
    title Fedora 14 : evince-2.32.0-3.fc14 (2011-0208)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_EVINCE-110105.NASL
    description Multiple font parser vulnerabilities in the DVI backend of evince have been fixed. CVE-2010-2640 - CVE-2010-2643 have been assigned to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75478
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75478
    title openSUSE Security Update : evince (openSUSE-SU-2011:0045-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_EVINCE-110105.NASL
    description Multiple font parser vulnerabilities in the DVI backend of evince have been fixed. CVE-2010-2640 - CVE-2010-2643 have been assigned to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53713
    published 2011-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53713
    title openSUSE Security Update : evince (openSUSE-SU-2011:0045-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201111-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201111-10 (Evince: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Evince. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to load a DVI file with a specially crafted font, resulting in the execution of arbitrary code with the privileges of the user running the application or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 56906
    published 2011-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56906
    title GLSA-201111-10 : Evince: Multiple vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1035-1.NASL
    description Jon Larimer discovered that Evince's font parsers incorrectly handled certain buffer lengths when rendering a DVI file. By tricking a user into opening or previewing a DVI file that uses a specially crafted font file, an attacker could crash evince or execute arbitrary code with the user's privileges. In the default installation of Ubuntu 9.10 and later, attackers would be isolated by the Evince AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 51421
    published 2011-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51421
    title Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : evince vulnerabilities (USN-1035-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-0224.NASL
    description - Thu Jan 6 2011 Marek Kasik - 2.30.3-2 - Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 - Resolves: #667573 - Fri Jun 25 2010 Marek Kasik - 2.30.3-1 - Update to 2.30.3 - Tue Jun 22 2010 Marek Kasik - 2.30.2-1 - Update to 2.30.2 (resolves #587495) - Remove unused patches - Tue Jun 22 2010 Marek Kasik - 2.30.1-3 - Check whether metadata is NULL before using it - Resolves: #597777 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 51465
    published 2011-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51465
    title Fedora 13 : evince-2.30.3-2.fc13 (2011-0224)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_EVINCE-7309.NASL
    description Multiple font parser vulnerabilities in the DVI backend of evince have been fixed. CVE-2010-2640 / CVE-2010-2641 / CVE-2010-2642 / CVE-2010-2643 have been assigned to these issues.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 51640
    published 2011-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51640
    title SuSE 10 Security Update : evince (ZYPP Patch Number 7309)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110106_EVINCE_ON_SL6_X.NASL
    description An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2640, CVE-2010-2641) A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2642) An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2643) Note: The above issues are not exploitable unless an attacker can trick the user into installing a malicious font file.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 60930
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60930
    title Scientific Linux Security Update : evince on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0009.NASL
    description From Red Hat Security Advisory 2011:0009 : Updated evince packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Evince is a document viewer. An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2640, CVE-2010-2641) A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2642) An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2643) Note: The above issues are not exploitable unless an attacker can trick the user into installing a malicious font file. Red Hat would like to thank the Evince development team for reporting these issues. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter of these issues. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68178
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68178
    title Oracle Linux 6 : evince (ELSA-2011-0009)
redhat via4
advisories
bugzilla
id 666321
title CVE-2010-2643 evince: Integer overflow in DVI file TFM font parser
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment evince is earlier than 0:2.28.2-14.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110009005
      • comment evince is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110009006
    • AND
      • comment evince-devel is earlier than 0:2.28.2-14.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110009009
      • comment evince-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110009010
    • AND
      • comment evince-dvi is earlier than 0:2.28.2-14.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110009011
      • comment evince-dvi is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110009012
    • AND
      • comment evince-libs is earlier than 0:2.28.2-14.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110009007
      • comment evince-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110009008
rhsa
id RHSA-2011:0009
released 2011-01-06
severity Moderate
title RHSA-2011:0009: evince security update (Moderate)
rpms
  • evince-0:2.28.2-14.el6_0.1
  • evince-devel-0:2.28.2-14.el6_0.1
  • evince-dvi-0:2.28.2-14.el6_0.1
  • evince-libs-0:2.28.2-14.el6_0.1
refmap via4
bid 45678
confirm
debian DSA-2357
fedora
  • FEDORA-2011-0208
  • FEDORA-2011-0224
mandriva MDVSA-2011:005
sectrack 1024937
secunia
  • 42769
  • 42821
  • 42847
  • 42872
  • 43068
suse SUSE-SR:2011:002
ubuntu USN-1035-1
vupen
  • ADV-2011-0029
  • ADV-2011-0043
  • ADV-2011-0056
  • ADV-2011-0097
  • ADV-2011-0102
  • ADV-2011-0212
Last major update 18-01-2012 - 22:49
Published 07-01-2011 - 14:00
Back to Top