Array index error in the VF font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.

Multiple font parser vulnerabilities in the DVI backend of evince have been fixed. CVE-2010-2640 - CVE-2010-2643 have been assigned to these issues.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0009 advisory.

    - Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2640, CVE-2010-2641)

A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.
(CVE-2010-2642)

An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.
(CVE-2010-2643)

Note: The above issues are not exploitable unless an attacker can trick the user into installing a malicious font file.

Jon Larimer from IBM X-Force Advanced Research discovered multiple vulnerabilities in the DVI backend of the Evince document viewer :

  - CVE-2010-2640     Insufficient array bounds checks in the PK fonts parser     could lead to function pointer overwrite, causing     arbitrary code execution.

  - CVE-2010-2641     Insufficient array bounds checks in the VF fonts parser     could lead to function pointer overwrite, causing     arbitrary code execution.

  - CVE-2010-2642     Insufficient bounds checks in the AFM fonts parser when     writing data to a memory buffer allocated on heap could     lead to arbitrary memory overwrite and arbitrary code     execution.

  - CVE-2010-2643     Insufficient check on an integer used as a size for     memory allocation can lead to arbitrary write outside     the allocated range and cause arbitrary code execution.

The remote host is affected by the vulnerability described in GLSA-201111-10 (Evince: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Evince. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to load a DVI file with a       specially crafted font, resulting in the execution of arbitrary code with       the privileges of the user running the application or a Denial of       Service.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities has been found and corrected in evince :

Array index error in the PK and VF font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2640, CVE-2010-2641).

Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2642).

Integer overflow in the TFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2643).

The updated packages have been patched to correct these issues.

Multiple font parser vulnerabilities in the DVI backend of evince have been fixed. CVE-2010-2640 / CVE-2010-2641 / CVE-2010-2642 / CVE-2010-2643 have been assigned to these issues.

- Thu Jan 6 2011 Marek Kasik <mkasik at redhat.com> -     2.30.3-2

    - Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and       CVE-2010-2643

    - Resolves: #667573

    - Fri Jun 25 2010 Marek Kasik <mkasik at redhat.com> -       2.30.3-1

    - Update to 2.30.3

    - Tue Jun 22 2010 Marek Kasik <mkasik at redhat.com> -       2.30.2-1

    - Update to 2.30.2 (resolves #587495)

    - Remove unused patches

    - Tue Jun 22 2010 Marek Kasik <mkasik at redhat.com> -       2.30.1-3

    - Check whether metadata is NULL before using it

    - Resolves: #597777

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Thu Jan 6 2011 Marek Kasik <mkasik at redhat.com> -     2.32.0-3

    - Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and       CVE-2010-2643

    - Resolves: #667573

    - Mon Nov 22 2010 Marek Kasik <mkasik at redhat.com> -       2.32.0-2

    - Fix crash in clear_job_selection()

    - Remove unused patch

    - Resolves: #647689

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated evince packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Evince is a document viewer.

An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2640, CVE-2010-2641)

A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.
(CVE-2010-2642)

An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.
(CVE-2010-2643)

Note: The above issues are not exploitable unless an attacker can trick the user into installing a malicious font file.

Red Hat would like to thank the Evince development team for reporting these issues. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter of these issues.

Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

Jon Larimer discovered that Evince's font parsers incorrectly handled certain buffer lengths when rendering a DVI file. By tricking a user into opening or previewing a DVI file that uses a specially crafted font file, an attacker could crash evince or execute arbitrary code with the user's privileges.

In the default installation of Ubuntu 9.10 and later, attackers would be isolated by the Evince AppArmor profile.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
75478	openSUSE Security Update : evince (openSUSE-SU-2011:0045-1)	Nessus	SuSE Local Security Checks	high
68178	Oracle Linux 6 : evince (ELSA-2011-0009)	Nessus	Oracle Linux Local Security Checks	high
60930	Scientific Linux Security Update : evince on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
56999	Debian DSA-2357-1 : evince - several vulnerabilities	Nessus	Debian Local Security Checks	high
56906	GLSA-201111-10 : Evince: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
53713	openSUSE Security Update : evince (openSUSE-SU-2011:0045-1)	Nessus	SuSE Local Security Checks	high
51797	Mandriva Linux Security Advisory : evince (MDVSA-2011:005)	Nessus	Mandriva Local Security Checks	high
51640	SuSE 10 Security Update : evince (ZYPP Patch Number 7309)	Nessus	SuSE Local Security Checks	high
51599	SuSE 11.1 Security Update : evince (SAT Patch Number 3769)	Nessus	SuSE Local Security Checks	high
51465	Fedora 13 : evince-2.30.3-2.fc13 (2011-0224)	Nessus	Fedora Local Security Checks	high
51445	Fedora 14 : evince-2.32.0-3.fc14 (2011-0208)	Nessus	Fedora Local Security Checks	high
51432	RHEL 6 : evince (RHSA-2011:0009)	Nessus	Red Hat Local Security Checks	high
51421	Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : evince vulnerabilities (USN-1035-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2010-2641

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high