I'm asking about the author of the email reproduced (without
permission) below.  The simple errors described there have been
fixed, with corrected code for the two ctan programs available at
     http://www.forkosh.com/mimetex.zip
     http://www.forkosh.com/mathtex.zip
But it's not yet submitted to ctan as they're trivial errors very
hard to trip over and hardly worth the administrative overhead (for
me or for ctan).  However, they are errors worth my time to fix,
and somebody (see cc's on email) must have taken a hard look
at the programs to find them.  For that I'm grateful.

What does bother me, however, is what seems to me like the
pompous, supercilious attitude of self-proclaimed net police
who write email to total strangers containing stuff like
   IMPORTANT: Please let us know if you have any questions/concerns,
   we would ask you not to disclose any of this information publicly
   until we have confirmed an embargo date for these issues. (please
   let me know if you are not familiar with this practice).
Well, I'm not familiar with this practice!
Embargo date?  Who does this guy think he is???
--
John Forkosh  ( mailto:  j...@f.com  where j=john and f=forkosh )

Here's the entire email...

From lc...@ocert.org Mon May 25 14:26:48 2009
Date: Mon, 25 May 2009 19:26:46 +0100
From: Andrea Barisani <lc...@ocert.org>
To: j...@forkosh.com
Cc: incide...@ocert.org,
    Chris Evans <cev...@google.com>,
    Damien Miller <d...@google.com>
Subject: [oCERT] mimetex and mathtex security vulnerabilities

Hi John,

oCERT received two vulnerability reports about mathex and mimetex. We can put
you in contact with reporters and provide you with more detail if needed.

We would like to know if you are willing to provide patches and coordinate
with us an advisory release as well as pre-notification to vendors and
possibly US-CERT considering the large amount of website which uses your
cgis.

IMPORTANT: Please let us know if you have any questions/concerns, we would
ask you not to disclose any of this information publicly until we have
confirmed an embargo date for these issues. (please let me know if you are
not familiar with this practice).

I'm ccing the reporters for further discussion.

Thanks a lot!

Report 1:

There appears to rampant strcpy() use, many usages of which seem vulnerable.
A simple example TeX expression that triggers one and therefore crashes, is:

\picture(12,34){(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$10,10){testing}}

The code flaw seems to be in rastpicture():

char pream[64];
...
      strcpy(pream,putexpr); }    /* copy leading preamble from put */

No bounds checking. Perhaps a wholesale conversion of strcpy() -> strncpy()
(remembering it does not null terminate) is in order?

Poking around on Google image search, some significant web sites would seem
to embed a copy of mimetex.cgi and therefore are at risk:
http://images.google.com/images?hl=en&q=inurl%3Abin%2Fmimetex&btnG=Se...
...
http://physics.harvard.edu/cgi-bin/mimetex.cgi?f(x)=
\int_{-\infty}^xe^{-t^2}dt
https://richarddawkins.net/cgi-bin/mimetex.cgi?\int_{10}^{13} x dx
http://www.sciforums.com/cgi-bin/mimetex.cgi?\int \limits_a^b 4x^2~dx
http://bioeng.washington.edu/cgi-bin/mimetex.cgi?  \huge  r2_o = r_{io} +
h_o

Report 2:

In MathTeX picking one of the several arguments that is supplied to
subprocesses:

   920  if ( getdirective(expression,"\\density",1,1,density) /*look for
\density*/
   921  ==   NULL )                             /* no \density directive */
   922    getdirective(expression,"\\dpi",1,1,density); /* so try \dpi
instead */
...
  1081  char  convertargs[1024] =               /* args/switches for convert
*/
  1082          " -density %%dpi%% -gamma %%gamma%%"
  1083          /*" -border 0% -fuzz 2%"*/
  1084          " -trim -transparent \"#FFFFFF\" ";
...
  1266    /* --- replace %%dpi%% in convert arg template with actual density
--- */
  1267    strreplace(convertargs,"%%dpi%%",density,1,0);
...
  1277    strcat(command,convertargs);          /* add convert switches */
...
  1284    sys_stat = system(command);           /* execute system(convert)
command */

The getdirective() function extracts a directive from the HTTP query string,
taking untrusted input with no filtering.

There are also stack-based overflows caused by operations on convertargs,
command and pretty much every other string.

Finally, and I haven't bothered to confirm this given the above, it looks
like its temp file handling is insecure too: it uses deterministic paths and
does not open with O_CREAT|O_EXCL (in fact, it just uses fopen).

--
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lc...@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"