Bug#164820: marked as done (tetex-bin: Command execution vulnerability in dvips)

To: Atsuhito KOHDA <kohda@debian.org>
Cc: teTeX maintainers <debian-tetex-maint@lists.debian.org>, tetex-bin@packages.qa.debian.org
Subject: Bug#164820: marked as done (tetex-bin: Command execution vulnerability in dvips)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 29 Nov 2002 02:33:05 -0600
Message-id: <[🔎] handler.164820.D164820.103855823010315.ackdone@bugs.debian.org>
In-reply-to: <E18HgLL-0000nK-00@auric.debian.org>
References: <E18HgLL-0000nK-00@auric.debian.org> <20021015110747.A8568580001@fabulous.u--3.com>

Your message dated Fri, 29 Nov 2002 03:17:47 -0500
with message-id <E18HgLL-0000nK-00@auric.debian.org>
and subject line Bug#164820: fixed in tetex-bin 1.0.7+20021025-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Oct 2002 11:07:51 +0000
>From erno@fabulous.u--3.com Tue Oct 15 06:07:51 2002
Return-path: <erno@fabulous.u--3.com>
Received: from fabulous.u--3.com [212.50.142.250] (postfix)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 181PYE-0008EN-00; Tue, 15 Oct 2002 06:07:50 -0500
Received: by fabulous.u--3.com (Postfix, from userid 1000)
	id A8568580001; Tue, 15 Oct 2002 14:07:47 +0300 (EEST)
From: Erno Kuusela <erno-debbugs@erno.iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-bin: Command execution vulnerability in dvips
X-Mailer: reportbug 1.50
Date: Tue, 15 Oct 2002 14:07:47 +0300
Message-Id: <20021015110747.A8568580001@fabulous.u--3.com>
Delivered-To: submit@bugs.debian.org

Package: tetex-bin
Version: 1.0.7+20011202-6
Severity: grave
Tags: security
Justification: user security hole

this was posted on bugtraq:

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Command execution vulnerability in dvips
Advisory ID:       RHSA-2002:194-18

[...] A vulnerability has been found in dvips which uses the system()
function insecurely when managing fonts.

Since dvips is used in a print filter, this allows local or remote
attackers who have print access to carefully craft a print job that
would allow them to execute arbitrary code as the user 'lp'.

[...]

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux fabulous 2.4.19-rc2 #2 Sun Jul 21 23:57:23 EEST 2002 i686
Locale: LANG=C, LC_CTYPE=fi_FI

Versions of packages tetex-bin depends on:
ii  debianutils             1.16             Miscellaneous utilities specific t
ii  dpkg                    1.9.21           Package maintenance system for Deb
ii  ed                      0.2-19           The classic unix line editor
ii  libc6                   2.2.5-15         GNU C Library: Shared libraries an
ii  libkpathsea3            1.0.7+20011202-7 shared libkpathsea for teTeX
ii  libpng2                 1.0.12-3.woody.2 PNG library - runtime
ii  libstdc++2.10-glibc2.2  1:2.95.4-7       The GNU stdc++ library
ii  libtiff3g               3.5.5-6          Tag Image File Format library
ii  libxaw7                 4.1.0-16         X Athena widget set library
pn  tetex-base (>= 1.0.2+20                  Not found.
ii  xlibs                   4.1.0-16         X Window System client libraries
ii  zlib1g                  1:1.1.4-1        compression library - runtime


---------------------------------------
Received: (at 164820-close) by bugs.debian.org; 29 Nov 2002 08:23:50 +0000
>From katie@auric.debian.org Fri Nov 29 02:23:48 2002
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 18HgRA-0002fc-00; Fri, 29 Nov 2002 02:23:48 -0600
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
	id 18HgLL-0000nK-00; Fri, 29 Nov 2002 03:17:47 -0500
From: Atsuhito KOHDA <kohda@debian.org>
To: 164820-close@bugs.debian.org
X-Katie: $Revision: 1.28 $
Subject: Bug#164820: fixed in tetex-bin 1.0.7+20021025-4
Message-Id: <E18HgLL-0000nK-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Fri, 29 Nov 2002 03:17:47 -0500
Delivered-To: 164820-close@bugs.debian.org

We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:

libkpathsea-dev_1.0.7+20021025-4_i386.deb
  to pool/main/t/tetex-bin/libkpathsea-dev_1.0.7+20021025-4_i386.deb
libkpathsea3_1.0.7+20021025-4_i386.deb
  to pool/main/t/tetex-bin/libkpathsea3_1.0.7+20021025-4_i386.deb
tetex-bin_1.0.7+20021025-4.diff.gz
  to pool/main/t/tetex-bin/tetex-bin_1.0.7+20021025-4.diff.gz
tetex-bin_1.0.7+20021025-4.dsc
  to pool/main/t/tetex-bin/tetex-bin_1.0.7+20021025-4.dsc
tetex-bin_1.0.7+20021025-4_i386.deb
  to pool/main/t/tetex-bin/tetex-bin_1.0.7+20021025-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 164820@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated tetex-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 29 Nov 2002 10:15:02 +0900
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 1.0.7+20021025-4
Distribution: unstable
Urgency: low
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description: 
 libkpathsea-dev - kpathsea.a and include files for teTeX
 libkpathsea3 - shared libkpathsea for teTeX
 tetex-bin  - teTeX binary files
Closes: 164820 169913
Changes: 
 tetex-bin (1.0.7+20021025-4) unstable; urgency=low
 .
   * Applied security patch for dvips.  [kohda]  (Closes: #164820)
   * Modified templates a bit.  Thanks to Branden Robinson <branden@debian.org>
     [kohda]  (Closes: #169913)
Files: 
 b6590434d382d400c332e90821d4c71d 959 tex optional tetex-bin_1.0.7+20021025-4.dsc
 28527bce600cac72d4bb768ca8ce0153 43244 tex optional tetex-bin_1.0.7+20021025-4.diff.gz
 fb8193831116a082807d9c81a1246f29 2782114 tex optional tetex-bin_1.0.7+20021025-4_i386.deb
 ee77ba719f4ec9d64272a90d3c1ca634 42876 libs optional libkpathsea3_1.0.7+20021025-4_i386.deb
 c0bc9c06bb81a58b9da45160ef104264 62726 devel optional libkpathsea-dev_1.0.7+20021025-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE95x831IXdL1v6kOwRAtu7AJ4/YvL833AI8LXKCRz8YPUkCTj8UQCeMDY9
y+wPJ4zQVMDI6n9YfK3L878=
=kBzq
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Bug#169913: marked as done (tetex-bin: debconf template text assumes nature of frontend)
Next by Date: Free commercial software, movies and music
Previous by thread: tetex-base_1.0.2+20021025-2_i386.changes ACCEPTED
Next by thread: Free commercial software, movies and music
Index(es):
- Date
- Thread