Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Nov 2015 19:18:10 +0900
From: 김종권 <>
Subject: CVE-2015-8106 - latex2rtf v2.3.8 format string vulnerability

Dear List,

I am writing this to report a format string vulnerability in ubuntu 
package latex2rtf. (2.3.8, which is the latest version).
Also I already have been assigned a CVE identifier from MITRE 
"CVE-2015-8106", so I want to make public this vulnerability.

- Target Platform
    Windows, Linux, OS X
- Target Version
    2.3.8 (Latest Version)

- Vulnerability description
When the user runs latex2rtf with malicious crafted tex file, an 
attacker can execute arbitrary code.
The function CmdKeywords processes the \keywords command in tex file.
The variable `keywords' in the function CmdKeywords may hold a malicious 
input string, which can be used as a format argument of vsnprintf.

-- Step 1. (funct1.c 1789 line)

1789        char *keywords = getBraceParam();

For instance, the variable keywords will point to the string “MALICIOUS” 
when a text line "\keywords{MALICIOUS}” exists in an input tex file.

-- Step 2. (funct1.c 1798 line)

1798    fprintRTF(keywords);

fprintfRTF() is called in line 1798, and the parameter is used as a 
format string, which can be malicious, as we described in step 1.

-- Step 3. (main.c 873 line)
858    void fprintRTF(char *format, ...){
873    vsnprintf(buffer, 1024, format, apf);

The value of format, which may be malicious, is used as an argument of 
vsnprintf in line 873, therefore arbitrary code can be executed.

-- Step 4. Our malicious input
\author{Jong-Gwon Kim}
~ $ latex2rtf -v
latex2rtf 2.3.8 r1240 (released June 16 2014)

Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO

Written by Prahl, Lehner, Granzer, Dorner, Polzer, Trisko, Schlatterbeck.
~ $ latex2rtf exploit.tex
aborted (core dumped)

-- Step 5. How to fix
(funct1.c 1798 line)

1798    fprintRTF(keywords);  ===>  fprintRTF("%s", keywords);

- How we found the vulnerability

We used a static analyzer, Sparrow[1], to find the format string bug. 
Our analyzer reported an alarm in latex2rtf main.c 873 line, So we 
looked for a latex2rtf source code and found the bug.

Sparrow is a state-of-the-art static analyzer that aims to verify the 
absence of fatal bugs in C source. Sparrow is designed by Abstract 
Interpretation and the analysis is sound in design. Sparrow adopts a 
number of well-founded static analysis techniques[2,3] for scalability, 
precision, and user convenience.

[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo 
Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like 
Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun 
Yi. PLDI'12

Sincerely, Jong-Gwon Kim & Woosuk Lee

Jong-Gwon Kim
Graduate student
ROPAS lab. (
ROSAEC center (
Seoul National University
(tel) +82-2-880-1865
Woosuk Lee
Ph.D. candidate
ROPAS lab. (
ROSAEC center (
Seoul National University
(tel) +82-2-880-1865

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.