From secure@conectiva.com.br Wed Nov 6 17:28:21 2002 From: secure@conectiva.com.br To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com Date: Tue, 29 Oct 2002 19:51:03 -0200 Subject: [CLA-2002:537] Conectiva Linux Security Announcement - tetex -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : tetex SUMMARY : dvips command execution vulnerability DATE : 2002-10-29 19:49:00 ID : CLA-2002:537 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION tetex contains the TeX typesetting system. Among other features, it includes support to generate documents using LaTeX, which is widely used for the production of technical and scientific documentation. It also contains a set of utilities to work with and convert various file formats, such as DVI, PDF, PS and others. Olaf Kirch from SuSE discovered a vulnerability in the dvips utility, which is used to convert .dvi files to PostScript. dvips is calling the system() function in an insecure way when handling font names. An attacker can exploit this by creating a carefully crafted dvi file which, when opened by dvips, will cause the execution of arbitrary commands. Since dvips is used as a default filter by the printing system (LPRng) of Conectiva Linux 6.0 and 7.0, an attacker with permissions to send printer jobs could execute arbitrary commands with the privileges of the 'lp' user (which is the system user responsible for the printing system) by sending a dvi file to be printed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0836 to this issue[1]. Some preventive fixes related to the use of temporary files were added to the tetex packages of Conectiva Linux 6.0 and 7.0. The packages distributed with Conectiva Linux 8 already have such fixes. SOLUTION All tetex users should upgrade. The dvips utility is in the "tetex-dvips" package. REFERENCES: 1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0836 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tetex-1.0.7-8U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tetex-afm-1.0.7-8U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tetex-dvilj-1.0.7-8U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tetex-dvips-1.0.7-8U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tetex-latex-1.0.7-8U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tetex-xdvi-1.0.7-8U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/tetex-1.0.7-8U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-afm-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-devel-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-dvilj-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-dvips-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-latex-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tetex-xdvi-1.0.7-11U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/tetex-1.0.7-11U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-afm-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-devel-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-dvilj-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-dvips-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-latex-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/tetex-xdvi-1.0.7-13U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/tetex-1.0.7-13U80_1cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9vwLG42jd0JmAcZARAl6kAKDZN/nm+b+frfUt1VMG03m7rbRHRACeL6Br mkDO7FJ2WMBzetVTLwsY5aA= =ZBl5 -----END PGP SIGNATURE-----