Ubuntu Security Notice USN-554-1
6th December, 2007
tetex-bin, texlive-bin vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 7.10
- Ubuntu 7.04
- Ubuntu 6.10
- Ubuntu 6.06 LTS
Software description
- tetex-bin
- texlive-bin
Details
Bastien Roucaries discovered that dvips as included in tetex-bin
and texlive-bin did not properly perform bounds checking. If a
user or automated system were tricked into processing a specially
crafted dvi file, dvips could be made to crash and execute code as
the user invoking the program. (CVE-2007-5935)
Joachim Schrod discovered that the dviljk utilities created
temporary files in an insecure way. Local users could exploit a
race condition to create or overwrite files with the privileges of
the user invoking the program. (CVE-2007-5936)
Joachim Schrod discovered that the dviljk utilities did not
perform bounds checking in many instances. If a user or automated
system were tricked into processing a specially crafted dvi file,
the dviljk utilities could be made to crash and execute code as
the user invoking the program. (CVE-2007-5937)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 7.10:
- texlive-extra-utils 2007-12ubuntu3.1
- Ubuntu 7.04:
- tetex-bin 3.0-27ubuntu1.2
- Ubuntu 6.10:
- tetex-bin 3.0-17ubuntu2.1
- Ubuntu 6.06 LTS:
- tetex-bin 3.0-13ubuntu6.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.