Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Nov 2015 19:18:10 +0900
From: 김종권 <>
Subject: CVE-2015-8106 - latex2rtf v2.3.8 format string vulnerability

Dear List,

I am writing this to report a format string vulnerability in ubuntu 
package latex2rtf. (2.3.8, which is the latest version).
Also I already have been assigned a CVE identifier from MITRE 
"CVE-2015-8106", so I want to make public this vulnerability.

- Target Platform
    Windows, Linux, OS X
- Target Version
    2.3.8 (Latest Version)

- Vulnerability description
When the user runs latex2rtf with malicious crafted tex file, an 
attacker can execute arbitrary code.
The function CmdKeywords processes the \keywords command in tex file.
The variable `keywords' in the function CmdKeywords may hold a malicious 
input string, which can be used as a format argument of vsnprintf.

-- Step 1. (funct1.c 1789 line)

1789        char *keywords = getBraceParam();

For instance, the variable keywords will point to the string “MALICIOUS” 
when a text line "\keywords{MALICIOUS}” exists in an input tex file.

-- Step 2. (funct1.c 1798 line)

1798    fprintRTF(keywords);

fprintfRTF() is called in line 1798, and the parameter is used as a 
format string, which can be malicious, as we described in step 1.

-- Step 3. (main.c 873 line)
858    void fprintRTF(char *format, ...){
873    vsnprintf(buffer, 1024, format, apf);

The value of format, which may be malicious, is used as an argument of 
vsnprintf in line 873, therefore arbitrary code can be executed.

-- Step 4. Our malicious input
\author{Jong-Gwon Kim}
~ $ latex2rtf -v
latex2rtf 2.3.8 r1240 (released June 16 2014)

Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO

Written by Prahl, Lehner, Granzer, Dorner, Polzer, Trisko, Schlatterbeck.
~ $ latex2rtf exploit.tex
aborted (core dumped)

-- Step 5. How to fix
(funct1.c 1798 line)

1798    fprintRTF(keywords);  ===>  fprintRTF("%s", keywords);

- How we found the vulnerability

We used a static analyzer, Sparrow[1], to find the format string bug. 
Our analyzer reported an alarm in latex2rtf main.c 873 line, So we 
looked for a latex2rtf source code and found the bug.

Sparrow is a state-of-the-art static analyzer that aims to verify the 
absence of fatal bugs in C source. Sparrow is designed by Abstract 
Interpretation and the analysis is sound in design. Sparrow adopts a 
number of well-founded static analysis techniques[2,3] for scalability, 
precision, and user convenience.

[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo 
Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like 
Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun 
Yi. PLDI'12

Sincerely, Jong-Gwon Kim & Woosuk Lee

Jong-Gwon Kim
Graduate student
ROPAS lab. (
ROSAEC center (
Seoul National University
(tel) +82-2-880-1865
Woosuk Lee
Ph.D. candidate
ROPAS lab. (
ROSAEC center (
Seoul National University
(tel) +82-2-880-1865

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ