CVE-2011-5244

Publication date 19 November 2012

Last updated 24 July 2024

Ubuntu priority

Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
evince	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	11.10 oneiric	Not affected
	10.04 LTS lucid	Fixed 2.30.3-0ubuntu1.2
	8.04 LTS hardy	Ignored end of life

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

this was fixed in the patchset for USN-1035-1, but the afmparse.c portion is only just now getting a CVE

References

MITRE
NVD
Launchpad
Debian

Other references

https://bugzilla.gnome.org/show_bug.cgi?id=643882
http://www.openwall.com/lists/oss-security/2011/03/04/21
http://git.gnome.org/browse/evince/commit/?id=d4139205b010
http://git.gnome.org/browse/evince/commit/?id=439c5070022e
https://www.cve.org/CVERecord?id=CVE-2011-5244