{"id":"CVE-2018-17407","details":"An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.","modified":"2026-04-16T06:22:05.203003403Z","published":"2018-09-23T21:29:00.280Z","related":["SUSE-SU-2018:3033-1","SUSE-SU-2018:3033-2","SUSE-SU-2018:3033-3","SUSE-SU-2018:3122-1","openSUSE-SU-2024:11431-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-security-announce/2018/msg00230.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3788-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3788-2/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4299"},{"type":"FIX","url":"https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tex-live/texlive-source","events":[{"introduced":"0"},{"fixed":"6ed0077520e2b0da1fd060c7f88db7b2e6068e4c"}]},{"type":"GIT","repo":"https://github.com/tex-live/texlive-source","events":[{"introduced":"0"},{"fixed":"6ed0077520e2b0da1fd060c7f88db7b2e6068e4c"}]}],"versions":["texlive-2018.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17407.json","vanir_signatures_modified":"2026-04-11T17:54:09Z","vanir_signatures":[{"source":"https://github.com/tex-live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c","signature_version":"v1","digest":{"line_hashes":["9791268591048681484189466533196366941","224486063487720674053331003536961317759","53123805931207764341912960437070621194","46727596619073334453305375206035578971","68478864391820934181172959969828339608"],"threshold":0.9},"target":{"file":"texk/dvipsk/writet1.c"},"id":"CVE-2018-17407-1430cd7b","deprecated":false,"signature_type":"Line"},{"source":"https://github.com/tex-live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c","signature_version":"v1","digest":{"line_hashes":["22924009159388201154967308494624661853","224070519679053124323349878276311203529","123390893019550676027322074092248546979","46727596619073334453305375206035578971","68478864391820934181172959969828339608"],"threshold":0.9},"target":{"file":"texk/web2c/luatexdir/font/writet1.c"},"id":"CVE-2018-17407-34d611c9","signature_type":"Line","deprecated":false},{"source":"https://github.com/tex-live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c","signature_version":"v1","digest":{"length":419,"function_hash":"212266903493370556945839331844847800932"},"target":{"function":"t1_check_unusual_charstring","file":"texk/web2c/pdftexdir/writet1.c"},"id":"CVE-2018-17407-71885961","signature_type":"Function","deprecated":false},{"source":"https://github.com/tex-live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c","signature_version":"v1","target":{"function":"t1_check_unusual_charstring","file":"texk/web2c/luatexdir/font/writet1.c"},"digest":{"length":375,"function_hash":"154964959366713946884875089814441253435"},"id":"CVE-2018-17407-9dde0a3a","signature_type":"Function","deprecated":false},{"source":"https://github.com/tex-live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c","signature_version":"v1","target":{"function":"t1_check_unusual_charstring","file":"texk/dvipsk/writet1.c"},"digest":{"length":419,"function_hash":"212266903493370556945839331844847800932"},"id":"CVE-2018-17407-c3e04853","signature_type":"Function","deprecated":false},{"source":"https://github.com/tex-live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c","signature_version":"v1","digest":{"line_hashes":["9791268591048681484189466533196366941","224486063487720674053331003536961317759","53123805931207764341912960437070621194","46727596619073334453305375206035578971","68478864391820934181172959969828339608"],"threshold":0.9},"target":{"file":"texk/web2c/pdftexdir/writet1.c"},"id":"CVE-2018-17407-cfd68eb4","signature_type":"Line","deprecated":false}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2018-09-21"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"2018-09-21"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}