USN-554-1: teTeX and TeX Live vulnerabilities

6 December 2007

tetex-bin, texlive-bin vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 7.10
  • Ubuntu 7.04
  • Ubuntu 6.10
  • Ubuntu 6.06 LTS

Software Description

  • texlive-bin
  • tetex-bin

Details

Bastien Roucaries discovered that dvips as included in tetex-bin and texlive-bin did not properly perform bounds checking. If a user or automated system were tricked into processing a specially crafted dvi file, dvips could be made to crash and execute code as the user invoking the program. (CVE-2007-5935)

Joachim Schrod discovered that the dviljk utilities created temporary files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. (CVE-2007-5936)

Joachim Schrod discovered that the dviljk utilities did not perform bounds checking in many instances. If a user or automated system were tricked into processing a specially crafted dvi file, the dviljk utilities could be made to crash and execute code as the user invoking the program. (CVE-2007-5937)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.10
texlive-extra-utils - 2007-12ubuntu3.1
Ubuntu 7.04
tetex-bin - 3.0-27ubuntu1.2
Ubuntu 6.10
tetex-bin - 3.0-17ubuntu2.1
Ubuntu 6.06 LTS
tetex-bin - 3.0-13ubuntu6.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References