<<< Date Index >>>     <<< Thread Index >>>

[FLSA-2006:152868] Updated tetex packages fix security issues



---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated tetex packages fix security issues
Advisory ID:       FLSA:152868
Issue date:        2006-05-12
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CVE-2004-0888 CVE-2004-1125 CVE-2005-3191
                   CVE-2005-3192 CVE-2005-3193 CVE-2005-3624
                   CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
                   CVE-2005-3628
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated tetex packages that fix several security issues are now
available.

TeTeX is an implementation of TeX. TeX takes a text file and a set of
formatting commands as input and creates a typesetter-independent .dvi
(DeVice Independent) file as output.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A number of integer overflow bugs that affect Xpdf were discovered. The
teTeX package contains a copy of the Xpdf code used for parsing PDF
files and is therefore affected by these bugs. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2004-0888 and CVE-2004-1125 to these issues.

Several flaws were discovered in the teTeX PDF parsing library. An
attacker could construct a carefully crafted PDF file that could cause
teTeX to crash or possibly execute arbitrary code when opened. The
Common Vulnerabilities and Exposures project assigned the names
CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624,
CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these
issues.

Users of teTeX should upgrade to these updated packages, which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152868

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tetex-1.0.7-47.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-afm-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-doc-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-dvilj-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-dvips-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-fonts-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-latex-1.0.7-47.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-xdvi-1.0.7-47.5.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tetex-1.0.7-66.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-1.0.7-66.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-afm-1.0.7-66.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-doc-1.0.7-66.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-dvips-1.0.7-66.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-fonts-1.0.7-66.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-latex-1.0.7-66.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-xdvi-1.0.7-66.3.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tetex-2.0.2-8.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-2.0.2-8.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-afm-2.0.2-8.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-doc-2.0.2-8.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-dvips-2.0.2-8.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-fonts-2.0.2-8.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-latex-2.0.2-8.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-xdvi-2.0.2-8.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tetex-2.0.2-14FC2.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-2.0.2-14FC2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-afm-2.0.2-14FC2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-doc-2.0.2-14FC2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-dvips-2.0.2-14FC2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-fonts-2.0.2-14FC2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-latex-2.0.2-14FC2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-xdvi-2.0.2-14FC2.3.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

80b05b7896c5db589e960da0d73b1cd4ae120cce
redhat/7.3/updates/i386/tetex-1.0.7-47.5.legacy.i386.rpm
28c6022b4f6a237d4695d1f268276ec6b18dcf4c
redhat/7.3/updates/i386/tetex-afm-1.0.7-47.5.legacy.i386.rpm
017fa321d9834685f04819070d4f5fb799e05d01
redhat/7.3/updates/i386/tetex-doc-1.0.7-47.5.legacy.i386.rpm
3303175840f2fc37c5f3f77e672eeb3fafae718a
redhat/7.3/updates/i386/tetex-dvilj-1.0.7-47.5.legacy.i386.rpm
fa43c7cbdf02cb7d439c9beeb0e358f8c69a5f22
redhat/7.3/updates/i386/tetex-dvips-1.0.7-47.5.legacy.i386.rpm
1e69a574c3d47cec5b58963387956dfc8337d6ec
redhat/7.3/updates/i386/tetex-fonts-1.0.7-47.5.legacy.i386.rpm
bb229acb3b38ae16025d56a77c41cab939a512ac
redhat/7.3/updates/i386/tetex-latex-1.0.7-47.5.legacy.i386.rpm
d21419415faefcb90b688f8d8dc60a57a6374bad
redhat/7.3/updates/i386/tetex-xdvi-1.0.7-47.5.legacy.i386.rpm
f646b3f3c2ebafa6ae264f20a3f056c778bd84db
redhat/7.3/updates/SRPMS/tetex-1.0.7-47.5.legacy.src.rpm
26f54ca0403372b21e6fd441d9bb64073f23e7de
redhat/9/updates/i386/tetex-1.0.7-66.3.legacy.i386.rpm
e74de7855d1d07bcef6a713f4a8735e8008f5249
redhat/9/updates/i386/tetex-afm-1.0.7-66.3.legacy.i386.rpm
c836a796ad112f79c84c528006a14a3ff1f99a20
redhat/9/updates/i386/tetex-doc-1.0.7-66.3.legacy.i386.rpm
5d60fb658c5581eff85e589b2f71e49b4b7132b0
redhat/9/updates/i386/tetex-dvips-1.0.7-66.3.legacy.i386.rpm
7ea6340fe95a63586bebc82f0869f962a178a8b2
redhat/9/updates/i386/tetex-fonts-1.0.7-66.3.legacy.i386.rpm
62790eea2119387ad7c9ff4dc52aa9f24ae188f3
redhat/9/updates/i386/tetex-latex-1.0.7-66.3.legacy.i386.rpm
55f398c9781e6a75c14becd57930afd91632c8fb
redhat/9/updates/i386/tetex-xdvi-1.0.7-66.3.legacy.i386.rpm
a696b9b616557bf0d9b8ae7f884e543061e0e110
redhat/9/updates/SRPMS/tetex-1.0.7-66.3.legacy.src.rpm
5560c992700e00a6f69d9ee7d2835522142fb93b
fedora/1/updates/i386/tetex-2.0.2-8.2.legacy.i386.rpm
416e95e8c3241c6fb239ca534dbb5654f5bb4206
fedora/1/updates/i386/tetex-afm-2.0.2-8.2.legacy.i386.rpm
55adc5facf3a5c44cd5eb8b57559b03728fb7a64
fedora/1/updates/i386/tetex-doc-2.0.2-8.2.legacy.i386.rpm
e893ad3c1c95abd91830b43fa74138be297da25e
fedora/1/updates/i386/tetex-dvips-2.0.2-8.2.legacy.i386.rpm
b5b4de3d22bf7696ed5194f68c271d08d912d571
fedora/1/updates/i386/tetex-fonts-2.0.2-8.2.legacy.i386.rpm
57029989a0bba05d33c566bdb0df6ff921f3addd
fedora/1/updates/i386/tetex-latex-2.0.2-8.2.legacy.i386.rpm
857555c989ce1db61ddec8a7fdaf30a21bd1a207
fedora/1/updates/i386/tetex-xdvi-2.0.2-8.2.legacy.i386.rpm
f4cd83ce6594ce3a2ba6f3371d22b46435be8fbd
fedora/1/updates/SRPMS/tetex-2.0.2-8.2.legacy.src.rpm
b02943e6007fc24a8c187d94c1511110d3d6e6e0
fedora/2/updates/i386/tetex-2.0.2-14FC2.3.legacy.i386.rpm
08f84cc10ee1b4ea4a0a28b0d06cba8209c0c5f3
fedora/2/updates/i386/tetex-afm-2.0.2-14FC2.3.legacy.i386.rpm
ea6b0ea52e2784a8d4de505e8866b6ca24ff94dd
fedora/2/updates/i386/tetex-doc-2.0.2-14FC2.3.legacy.i386.rpm
61298e2841be9ce39260139387502f2caa555653
fedora/2/updates/i386/tetex-dvips-2.0.2-14FC2.3.legacy.i386.rpm
42271d0bf5aab0b7b77c6ccb90723588395e06a2
fedora/2/updates/i386/tetex-fonts-2.0.2-14FC2.3.legacy.i386.rpm
555556960f4e116cc1f92d57d8896284cf125935
fedora/2/updates/i386/tetex-latex-2.0.2-14FC2.3.legacy.i386.rpm
23d0051001771158b6573c846d1e736308cba424
fedora/2/updates/i386/tetex-xdvi-2.0.2-14FC2.3.legacy.i386.rpm
c05978c27472e3a8fbfc12896e26d78ae18e065b
fedora/2/updates/SRPMS/tetex-2.0.2-14FC2.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0888
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628

9. Contact:

The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Attachment: signature.asc
Description: OpenPGP digital signature