USN-554-1: teTeX and TeX Live vulnerabilities

Releases

• Ubuntu 7.10
• Ubuntu 7.04
• Ubuntu 6.10
• Ubuntu 6.06

Packages

• tetex-bin -
• texlive-bin -

Details

Bastien Roucaries discovered that dvips as included in tetex-bin
and texlive-bin did not properly perform bounds checking. If a
user or automated system were tricked into processing a specially
crafted dvi file, dvips could be made to crash and execute code as
the user invoking the program. (CVE-2007-5935)

Joachim Schrod discovered that the dviljk utilities created
temporary files in an insecure way. Local users could exploit a
race condition to create or overwrite files with the privileges of
the user invoking the program. (CVE-2007-5936)

Joachim Schrod discovered that the dviljk utilities did not
perform bounds checking in many instances. If a user or automated
system were tricked into processing a specially crafted dvi file,
the dviljk utilities could be made to crash and execute code as
the user invoking the program. (CVE-2007-5937)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.10

• texlive-extra-utils - 2007-12ubuntu3.1

Ubuntu 7.04

• tetex-bin - 3.0-27ubuntu1.2

Ubuntu 6.10

• tetex-bin - 3.0-17ubuntu2.1

Ubuntu 6.06

• tetex-bin - 3.0-13ubuntu6.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2007-5937
• CVE-2007-5935
• CVE-2007-5936