Bug 1222127 (CVE-2023-46051) - VUL-0: CVE-2023-46051: texlive: NULL pointer dereference in texk/web2c/pdftexdir/tounicode.c
Summary: VUL-0: CVE-2023-46051: texlive: NULL pointer dereference in texk/web2c/pdftex...
Status: NEW
Alias: CVE-2023-46051
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/399124/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46051:3.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-28 12:18 UTC by SMASH SMASH
Modified: 2024-07-19 08:58 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
source-CVE-2023-46051.patch (877 bytes, text/plain)
2024-04-02 13:07 UTC, Dr. Werner Fink 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-28 12:18:22 UTC 
TeX Live 944e257 allows a NULL pointer dereference in texk/web2c/pdftexdir/tounicode.c. NOTE: this is disputed because it should be categorized as a usability problem.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46051
https://www.cve.org/CVERecord?id=CVE-2023-46051
http://seclists.org/fulldisclosure/2024/Jan/68
https://tug.org/pipermail/tex-live/2023-August/049406.html
Comment 2 Dr. Werner Fink 2024-03-28 14:04:55 UTC 
TeXLive 2024 is save
Comment 3 Dr. Werner Fink 2024-04-02 13:07:06 UTC 
Created attachment 874000 [details]
source-CVE-2023-46051.patch

The only tounicode.c showing the vulnerability belongs to pdftex
Comment 4 Dr. Werner Fink 2024-04-03 13:49:06 UTC 
Patch does not apply to TeXLive 2013 of SLE-12 as there is no such code
Comment 7 Maintenance Automation 2024-04-16 12:30:05 UTC 
SUSE-SU-2024:1310-1: An update that solves two vulnerabilities can now be installed.

Category: security (low)
Bug References: 1222126, 1222127
CVE References: CVE-2023-46048, CVE-2023-46051
Maintenance Incident: [SUSE:Maintenance:33218](https://smelt.suse.de/incident/33218/)
Sources used:
openSUSE Leap 15.4 (src):
 texlive-2021.20210325-150400.31.6.4
openSUSE Leap 15.5 (src):
 texlive-2021.20210325-150400.31.6.4
Basesystem Module 15-SP5 (src):
 texlive-2021.20210325-150400.31.6.4
Desktop Applications Module 15-SP5 (src):
 texlive-2021.20210325-150400.31.6.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.