#1103801 mimetex: CVE-2024-40445 CVE-2024-40446

Package:
mimetex
Source:
mimetex
Description:
LaTeX math expressions to anti-aliased GIF images converter
Submitter:
TaiYou
Date:
2026-05-29 23:11:01 UTC
Severity:
normal
Tags:
#1103801#5
Date:
2025-04-21 16:57:15 UTC
From:
To:
Dear Maintainer,

A code injection vulnerability has been identified in MimeTeX, affecting version 1.76-1 and above. This issue has been assigned CVE-2024-40446.

When operating in command-line or CGI mode, specially crafted input can trigger unintended command execution due to unsafe parsing. The issue arises from the incorrect handling of user-supplied input during expression parsing.

* What led up to the situation?
  While evaluating the security posture of web applications relying on dynamic LaTeX rendering, this vulnerability was discovered in the underlying MimeTeX binary.

* What exactly did you do (or not do) that was effective (or ineffective)?
  Testing was performed with benign but malformed LaTeX input, which led to unexpected execution behavior. Further analysis confirmed the input was being evaluated in a way that allowed for arbitrary code execution.

* What was the outcome of this action?
  A proof of concept confirmed the ability to execute commands supplied via crafted LaTeX input in environments where MimeTeX is exposed to untrusted input (such as via CGI).

* What outcome did you expect instead?
  Input should be treated as data and not lead to code execution under any circumstances.

As MimeTeX appears to be unmaintained upstream, and the impact of this vulnerability includes remote code execution, it is recommended to consider removing the package from Debian, or at minimum, disabling CGI support or sandboxing the binary in its current form.

CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40446
#1103801#10
Date:
2025-04-21 17:06:28 UTC
From:
To:
Although I’ve already requested publication from MITRE, the process may take some time.

In the meantime, here is the public reference I shared with them, which includes additional context for both vulnerabilities:
🔗 https://github.com/TaiYou-TW/CVE-2024-40445_CVE-2024-40446

Please feel free to reach out if you need any further information.

Best regards,

TaiYou
#1103801#25
Date:
2025-04-27 21:44:37 UTC
From:
To:
On 21.04.25 Shang-Hung, Wan (a24230928@gmail.com) wrote:

Hello,

I still don't know how to find the fix for the issue. The upstream
homepage is gone and I'm not convinced that [1] contains the version
1.77 .

Hilmar

[1] https://tracker.moodle.org/browse/MDL-70769
#1103801#30
Date:
2025-04-28 09:38:29 UTC
From:
To:
Hello,

I think they only patched the mitigation in Moodle, not MimeTex itself. [1]

And about the 1.77 source code, I can’t find souce other than Moodle’s this issue ticket so far.

[1] https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-85152&type=commits

Best regards,
TaiYou
#1103801#35
Date:
2025-04-30 22:56:40 UTC
From:
To:
On 28.04.25 Shang-Hung, Wan (a24230928@gmail.com) wrote:

Hello,
Yes, correct.
Maybe I'll open a ticket at Moodle myself to figure out, where this
very version 1.77 is located. Note sure, if this is possible for me.

Many thanks for now. I tag that bug as "help", just in case anybody
else has an idea how to address the issue.
#1103801#42
Date:
2025-05-08 21:51:43 UTC
From:
To:
On 21.04.25 18:57, TaiYou wrote:

Hello,
Are you sure that 1.76 and above is affected? I would rather think 1.76
and below is affected.

Until now I did find anywhere a piece of code, which clearly states to
be the source code of mimetex 1.77. The source code in [1] states to be
version 1.75, the binaries (at least that one for ARM64) states to be
version 1.77, so the attached source code does not match to the binaries.

To check the binaries built form the source code in [1] I built a test
bed on my web server [2]. On [3] I found more details about the exploit
and how to use it. The source code in my test page is

   <p><img src="/cgi-bin/mimetex.cgi?\input{/etc/passwd}"></p>
   <p><img src="/cgi-bin/mimetex1.cgi?\input{/etc/passwd}"></p>
   <p><img src="/cgi-bin/mimetex2.cgi?\input{/etc/passwd}"></p>

As you can see, my /etc/passwd ist not displayed.

- mimetex.cgi is the official Debian package
- mimetex1.cgi is the binary I built from the code on [1]
- mimetex2.cgi is the binary for ARM64 I downloaded from [1]

Into the web page I copied the code from [4], so anybody can enter LaTeX
code to be rendered by mimetex, but for obvious reasons, the code is
commented.

Could you go more into detail, how the exploit looks like?

Thanks,
   Hilmar

[1] https://tracker.moodle.org/browse/MDL-70769
[2] http://rasppi3.hilmar-preusse.de/~hille/mimetex.html
[3] https://www.cve.news/cve-2024-40446/
[4]
https://ctan.math.washington.edu/tex-archive/support/mimetex/mimetex.html
#1103801#47
Date:
2025-05-09 09:52:26 UTC
From:
To:
Hello Hilmar,

Yes, version 1.74 is not affected because I think the vulnerable feature was added in 1.76. (or 1.75, I can’t find the source code of 1.75 so I can’t make sure of it)

There is a comment [1] that stated that he contacted the author John, and he said version 1.75 in the source code is just a mistake, it’s indeed version 1.77.


About the article you mentioned from cve[.]news, I checked it and found it’s totally nonsense, since:

1. The vulnerable code it mentioned even doesn’t exist in MimeTex
2. It’s not a valid PoC
3. It can’t even distinguish the vulnerability type

Therefore, I highly suspect that it’s just an AI-generated article and can’t be a useful reference.


Since I don’t want to expose too much information to public about the exploit, I will send you another email in private about information of exploit.


Best regards,
TaiYou

[1] https://tracker.moodle.org/browse/MDL-70769?focusedId=844397&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-844397
#1103801#52
Date:
2025-05-09 20:26:54 UTC
From:
To:
On 09.05.25 11:52, Shang-Hung, Wan wrote:

Hello Shang-Hung,

as you've noticed I've took my web page offline: running a web server
carrying a vulnerable cgi script is probably not the best idea. ;-)
Yes, I've seen that. However I'm wondering, why they did not publish the
"fixed" source code.

Yes, correct. However I thought it could be some kind of sample code,
which do not literally have to appear in the source code...although not
even the function names appears. I'm not good at coding.
Yes, I was wondering about this too: why they mixed the two CVE's.
I've seen three links to youtube published in the CVE reports. Youtube
forced me to login however the videos are still not accessible. Maybe
this explains my dumb questions.


Hilmar
#1103801#57
Date:
2025-05-11 15:18:50 UTC
From:
To:
Control: clone 1103801 -1
Control: retitle -1 CVE-2024-40445: Directory Traversal
Control: retitle 1103801 CVE-2024-40446: code injection vulnerability
I'm splitting off CVE-2024-40445 to a new bug.

Hilmar
#1103801#66
Date:
2026-05-25 10:17:45 UTC
From:
To:
On 4/21/25 18:57, TaiYou wrote:

Hello TaiYou,

Yes, that issue is still open. I now have a patch, which solves/removes
the vulnerability by completely disabling \mathtex.

Would this be a acceptable solution?

Hilmar
#1103801#71
Date:
2026-05-25 17:58:47 UTC
From:
To:
Am 25.05.2026 um 12:17 schrieb Hilmar Preuße:

Hello,
to call the gcc correctly.

Hilmar
#1103801#76
Date:
2026-05-26 09:04:21 UTC
From:
To:
Am 26.05.2026 um 03:26 schrieb 萬尚宏:

Hello,

the patch is here:
https://salsa.debian.org/hilmar/mimetex/-/blob/master/debian/patches/CVE-2024-40445.diff?ref_type=heads

Basically it tries to figure, if shell commands are executed using
\mathtex and prevents the call. By default \mathtex is disabled at all,
but I've enabled it again in the Debian package.

Hilmar
#1103801#81
Date:
2026-05-29 23:09:34 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mimetex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1103801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilmar Preuße <hille42@debian.org> (supplier of updated mimetex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 00:23:44 +0200
Source: mimetex
Architecture: source
Version: 1.76-6
Distribution: unstable
Urgency: medium
Maintainer: Hilmar Preuße <hille42@debian.org>
Changed-By: Hilmar Preuße <hille42@debian.org>
Closes: 1103801
Changes:
 mimetex (1.76-6) unstable; urgency=medium
 .
   * Add patch for CVE-2024-40446 (Closes: #1103801).
Checksums-Sha1:
 410d4cce96c609d2dba76dec534bf81492e5d116 1335 mimetex_1.76-6.dsc
 4b744a351d18e19be03c33ed09ee8036693afcce 6832 mimetex_1.76-6.debian.tar.xz
 3677ca784cbccb260014f4dc7b65dfe276e3ac76 4912 mimetex_1.76-6_source.buildinfo
Checksums-Sha256:
 55a21b97e48f7bf9560ff0d559423d87157cffa64eabd8d01eaef72d0995c077 1335 mimetex_1.76-6.dsc
 b6799372279a73271395ef4be9d63588e28719d16875b489c2bc86420f59fc36 6832 mimetex_1.76-6.debian.tar.xz
 0c07193e1a2ddab6f177806857e2d6dd1bf62b06da4a8172902127af1e5ec212 4912 mimetex_1.76-6_source.buildinfo
Files:
 fa386041fbbd1e66a8e941f55eb09476 1335 utils optional mimetex_1.76-6.dsc
 60f267d06b04041c454d194becd80ff9 6832 utils optional mimetex_1.76-6.debian.tar.xz
 6cb8e5169a3b57862f6f4cb1d0e754b0 4912 utils optional mimetex_1.76-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQRKnq6Z0VRDf4bMmAn98EQ6ARgcNAUCahoSNl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NEE5
RUFFOTlEMTU0NDM3Rjg2Q0M5ODA5RkRGMDQ0M0EwMTE4MUMzNAAKCRD98EQ6ARgc
NFoEAP9fRp4jWdwEKPFzEkPsEsvZX1/QRYhr7QjYmGfmqsaq5wD/fWAq76eU6MHS
9eQ9fWOtwr/34vBTtYSID+waZY3PxAY=
=Hhlr
-----END PGP SIGNATURE-----