Alerta de Segurança Debian

DSA-207-1 tetex-bin -- execução de comando arbitrário

Data do Alerta:
11 Dez 2002
Pacotes Afetados:
tetex-bin
Vulnerável:
Sim
Referência à base de dados de segurança:
No dicionário CVE do Mitre: CVE-2002-0836.
Informações adicionais:

O time de segurança da SuSE descobriu uma vulnerabilidade na biblioteca kpathsea (libkpathsea) que é usada pelo xdvi e dvips. Ambos programas chamam a função system() inseguramente, o que permite que um atacante remoto execute comandos arbitrários através de arquivos DVI habilmente modificados.

Se o dvips é usado como um filtro de impressão, isto permite que um atacante local ou remoto com permissões de impressão execute código arbitrário como o usuário da impressora (geralmente lp).

Este problema foi corrigido na versão 1.0.7+20011202-7.1 para a atual distribuição estável (woody), na versão 1.0.6-7.3 para a antiga distribuição estável (potato) e na versão 1.0.7+20021025-4 para a distribuição instável (sid). Os pacotes xdvik-ja e dvipsk-ja também estão vulneráveis, mas chamam a biblioteca kpathsea dinamicamente e será corrigido automaticamente depois que uma nova ibkpathsea for instalada.

Nós recomendamos que você atualize seu pacote tetex-lib imediatamente.

Corrigido em:

Debian GNU/Linux 2.2 (potato)

Fonte:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3.dsc
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3.diff.gz
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3_alpha.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-dev_1.0.6-7.3_alpha.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-lib_1.0.6-7.3_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3_arm.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-dev_1.0.6-7.3_arm.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-lib_1.0.6-7.3_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3_i386.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-dev_1.0.6-7.3_i386.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-lib_1.0.6-7.3_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3_m68k.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-dev_1.0.6-7.3_m68k.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-lib_1.0.6-7.3_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3_powerpc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-dev_1.0.6-7.3_powerpc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-lib_1.0.6-7.3_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.6-7.3_sparc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-dev_1.0.6-7.3_sparc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-lib_1.0.6-7.3_sparc.deb

Debian GNU/Linux 3.0 (woody)

Fonte:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1.dsc
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_alpha.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_alpha.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_arm.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_arm.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_i386.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_i386.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_ia64.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_ia64.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_hppa.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_hppa.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_m68k.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_m68k.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_mips.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_mips.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_mipsel.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_mipsel.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_powerpc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_powerpc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_s390.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_s390.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.1_sparc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.1_sparc.deb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.1_sparc.deb

Checksums MD5 dos arquivos listados estão disponíveis no alerta original.