The SuSE security team discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call the system() function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files. If dvips is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printer user (usually lp). This problem has been fixed in version 1.0.7+20011202-7.1 for the current stable distribution (woody), in version 1.0.6-7.3 for the old stable distribution (potato) and in version 1.0.7+20021025-4 for the unstable distribution (sid). xdvik-ja and dvipsk-ja are vulnerable as well, but link to the kpathsea library dynamically and will automatically be fixed after a new libkpathsea is installed. We recommend that you upgrade your tetex-lib package immediately.
The SuSE security team discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call the system() function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files.
If dvips is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printer user (usually lp).
This problem has been fixed in version 1.0.7+20011202-7.1 for the current stable distribution (woody), in version 1.0.6-7.3 for the old stable distribution (potato) and in version 1.0.7+20021025-4 for the unstable distribution (sid). xdvik-ja and dvipsk-ja are vulnerable as well, but link to the kpathsea library dynamically and will automatically be fixed after a new libkpathsea is installed.
We recommend that you upgrade your tetex-lib package immediately.
MD5 checksums of the listed files are available in the original advisory.