--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated tetex packages fix security issues Advisory ID: FLSA:152868 Issue date: 2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0888 CVE-2004-1125 CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated tetex packages that fix several security issues are now available. TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A number of integer overflow bugs that affect Xpdf were discovered. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0888 and CVE-2004-1125 to these issues. Several flaws were discovered in the teTeX PDF parsing library. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152868 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tetex-1.0.7-47.5.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-afm-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-doc-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-dvilj-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-dvips-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-fonts-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-latex-1.0.7-47.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/tetex-xdvi-1.0.7-47.5.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tetex-1.0.7-66.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-1.0.7-66.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-afm-1.0.7-66.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-doc-1.0.7-66.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-dvips-1.0.7-66.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-fonts-1.0.7-66.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-latex-1.0.7-66.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/tetex-xdvi-1.0.7-66.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tetex-2.0.2-8.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-2.0.2-8.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-afm-2.0.2-8.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-doc-2.0.2-8.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-dvips-2.0.2-8.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-fonts-2.0.2-8.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-latex-2.0.2-8.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/tetex-xdvi-2.0.2-8.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tetex-2.0.2-14FC2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-2.0.2-14FC2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-afm-2.0.2-14FC2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-doc-2.0.2-14FC2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-dvips-2.0.2-14FC2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-fonts-2.0.2-14FC2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-latex-2.0.2-14FC2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/tetex-xdvi-2.0.2-14FC2.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 80b05b7896c5db589e960da0d73b1cd4ae120cce redhat/7.3/updates/i386/tetex-1.0.7-47.5.legacy.i386.rpm 28c6022b4f6a237d4695d1f268276ec6b18dcf4c redhat/7.3/updates/i386/tetex-afm-1.0.7-47.5.legacy.i386.rpm 017fa321d9834685f04819070d4f5fb799e05d01 redhat/7.3/updates/i386/tetex-doc-1.0.7-47.5.legacy.i386.rpm 3303175840f2fc37c5f3f77e672eeb3fafae718a redhat/7.3/updates/i386/tetex-dvilj-1.0.7-47.5.legacy.i386.rpm fa43c7cbdf02cb7d439c9beeb0e358f8c69a5f22 redhat/7.3/updates/i386/tetex-dvips-1.0.7-47.5.legacy.i386.rpm 1e69a574c3d47cec5b58963387956dfc8337d6ec redhat/7.3/updates/i386/tetex-fonts-1.0.7-47.5.legacy.i386.rpm bb229acb3b38ae16025d56a77c41cab939a512ac redhat/7.3/updates/i386/tetex-latex-1.0.7-47.5.legacy.i386.rpm d21419415faefcb90b688f8d8dc60a57a6374bad redhat/7.3/updates/i386/tetex-xdvi-1.0.7-47.5.legacy.i386.rpm f646b3f3c2ebafa6ae264f20a3f056c778bd84db redhat/7.3/updates/SRPMS/tetex-1.0.7-47.5.legacy.src.rpm 26f54ca0403372b21e6fd441d9bb64073f23e7de redhat/9/updates/i386/tetex-1.0.7-66.3.legacy.i386.rpm e74de7855d1d07bcef6a713f4a8735e8008f5249 redhat/9/updates/i386/tetex-afm-1.0.7-66.3.legacy.i386.rpm c836a796ad112f79c84c528006a14a3ff1f99a20 redhat/9/updates/i386/tetex-doc-1.0.7-66.3.legacy.i386.rpm 5d60fb658c5581eff85e589b2f71e49b4b7132b0 redhat/9/updates/i386/tetex-dvips-1.0.7-66.3.legacy.i386.rpm 7ea6340fe95a63586bebc82f0869f962a178a8b2 redhat/9/updates/i386/tetex-fonts-1.0.7-66.3.legacy.i386.rpm 62790eea2119387ad7c9ff4dc52aa9f24ae188f3 redhat/9/updates/i386/tetex-latex-1.0.7-66.3.legacy.i386.rpm 55f398c9781e6a75c14becd57930afd91632c8fb redhat/9/updates/i386/tetex-xdvi-1.0.7-66.3.legacy.i386.rpm a696b9b616557bf0d9b8ae7f884e543061e0e110 redhat/9/updates/SRPMS/tetex-1.0.7-66.3.legacy.src.rpm 5560c992700e00a6f69d9ee7d2835522142fb93b fedora/1/updates/i386/tetex-2.0.2-8.2.legacy.i386.rpm 416e95e8c3241c6fb239ca534dbb5654f5bb4206 fedora/1/updates/i386/tetex-afm-2.0.2-8.2.legacy.i386.rpm 55adc5facf3a5c44cd5eb8b57559b03728fb7a64 fedora/1/updates/i386/tetex-doc-2.0.2-8.2.legacy.i386.rpm e893ad3c1c95abd91830b43fa74138be297da25e fedora/1/updates/i386/tetex-dvips-2.0.2-8.2.legacy.i386.rpm b5b4de3d22bf7696ed5194f68c271d08d912d571 fedora/1/updates/i386/tetex-fonts-2.0.2-8.2.legacy.i386.rpm 57029989a0bba05d33c566bdb0df6ff921f3addd fedora/1/updates/i386/tetex-latex-2.0.2-8.2.legacy.i386.rpm 857555c989ce1db61ddec8a7fdaf30a21bd1a207 fedora/1/updates/i386/tetex-xdvi-2.0.2-8.2.legacy.i386.rpm f4cd83ce6594ce3a2ba6f3371d22b46435be8fbd fedora/1/updates/SRPMS/tetex-2.0.2-8.2.legacy.src.rpm b02943e6007fc24a8c187d94c1511110d3d6e6e0 fedora/2/updates/i386/tetex-2.0.2-14FC2.3.legacy.i386.rpm 08f84cc10ee1b4ea4a0a28b0d06cba8209c0c5f3 fedora/2/updates/i386/tetex-afm-2.0.2-14FC2.3.legacy.i386.rpm ea6b0ea52e2784a8d4de505e8866b6ca24ff94dd fedora/2/updates/i386/tetex-doc-2.0.2-14FC2.3.legacy.i386.rpm 61298e2841be9ce39260139387502f2caa555653 fedora/2/updates/i386/tetex-dvips-2.0.2-14FC2.3.legacy.i386.rpm 42271d0bf5aab0b7b77c6ccb90723588395e06a2 fedora/2/updates/i386/tetex-fonts-2.0.2-14FC2.3.legacy.i386.rpm 555556960f4e116cc1f92d57d8896284cf125935 fedora/2/updates/i386/tetex-latex-2.0.2-14FC2.3.legacy.i386.rpm 23d0051001771158b6573c846d1e736308cba424 fedora/2/updates/i386/tetex-xdvi-2.0.2-14FC2.3.legacy.i386.rpm c05978c27472e3a8fbfc12896e26d78ae18e065b fedora/2/updates/SRPMS/tetex-2.0.2-14FC2.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature