[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]

Martin Schroeder martin@oneiros.de
Tue, 15 Oct 2002 11:06:43 +0200

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

this just arrived via a collegue. In which version of dvips has
this been fixed?

Best regards

Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <artcom7!artcom0!pf>
Received: from artcom7 by artcom8.artcom-gmbh.de  with uucp
	(Smail3.2 #1) id m181KYq-000WDLC; Tue, 15 Oct 2002 07:48:08 +0200 (CEST)
Received: from artcom0 by artcom7.artcom-gmbh.de  with uucp
	(Smail3.2 #1) id m181KY2-000pAqC; Tue, 15 Oct 2002 07:47:18 +0200 (MEST)
Received: by artcom0.artcom-gmbh.de (Smail3.2 #1)
	id m181KWv-00BMy2C; Tue, 15 Oct 2002 07:46:09 +0200 (CEST)
Sender: pf@artcom0.artcom-gmbh.de (Peter Funk)
Received: from artcom7 by artcom0.artcom-gmbh.de  with uucp
	(Smail3.2 #1) id m181GxO-00BNV2C; Tue, 15 Oct 2002 03:57:14 +0200 (CEST)
Received: by artcom7.artcom-gmbh.de (Smail3.2 #1)
	id m181GwM-000pAqC; Tue, 15 Oct 2002 03:56:10 +0200 (MEST)
Received: (from uartcom@localhost)
	by artcomm.artcom-gmbh.de (8.11.6+Sun/8.9.3) with UUCP id g9F1t7B15331
	for pf@artcom0.artcom-gmbh.de; Tue, 15 Oct 2002 03:55:07 +0200 (MEST)
Received: from mx-2.kkf.net (mx-2.kkf.net [])
	by artinet.artcom-gmbh.de (8.9.3+Sun/8.9.3) with SMTP id DAA22850
	for <pf@artcom-gmbh.de>; Tue, 15 Oct 2002 03:53:39 +0200 (MEST)
Received: (qmail 6508 invoked by uid 54); 15 Oct 2002 01:53:39 -0000
Received: from rhn-bounce+1333960-1893562@rhn.redhat.com by mx-2
  by uid 51 with qmail-scanner-1.10 (. Clear:0. Processed in 0.127422 secs); 15 Oct 2002 01:53:39 -0000
X-Qmail-Scanner-Mail-From: rhn-bounce+1333960-1893562@rhn.redhat.com via mx-2
X-Qmail-Scanner: 1.10 (Clear:0. Processed in 0.127422 secs)
Received: from mail.rhn.redhat.com (HELO rhn-mail.rdu-colo.redhat.com) (
  by 0 with SMTP; 15 Oct 2002 01:53:38 -0000
Received: from scripts.rdu-colo.redhat.com (nat-pix.rdu.redhat.com [] (may be forged))
	by rhn-mail.rdu-colo.redhat.com (8.11.6/8.11.6) with ESMTP id g9F1rb119366
	for <pf@artcom-gmbh.de>; Mon, 14 Oct 2002 21:53:37 -0400
Received: (from root@localhost)
	by scripts.rdu-colo.redhat.com (8.11.6/8.11.6) id g9F1nBt31110;
	Mon, 14 Oct 2002 21:49:11 -0400
Date: Mon, 14 Oct 2002 21:49:11 -0400
Message-Id: <200210150149.g9F1nBt31110@scripts.rdu-colo.redhat.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: rhn-bounce+1333960-1893562@rhn.redhat.com
From: Red Hat Network Alert <rhn-admin@rhn.redhat.com>
Precedence: first-class
Subject: RHN Errata Alert: Command execution vulnerability in dvips
To: pefunk <pf@artcom-gmbh.de>
X-RHN-Email: <pf@artcom-gmbh.de>
X-RHN-Info: Autogenerated mail for pefunk
X-RHN-Login: pefunk
X-Qmail-Scanner-1.10: added fake MIME-Version header
MIME-Version: 1.0
Sender: pf@artcom0.artcom-gmbh.de

Red Hat Network has determined that the following advisory is applicable to
one or more of the systems you have registered:

Complete information about this errata can be found at the following location:

Security Advisory - RHSA-2002:194-18
Command execution vulnerability in dvips

dvips contains a vulnerability allowing print users to execute arbitrary

The dvips utility converts DVI format into PostScript(TM), and is used in
Red Hat Linux as a print filter for printing DVI files.  A vulnerability
has been found in dvips which uses the system() function insecurely when
managing fonts.

Since dvips is used in a print filter, this allows local or remote
attackers who have print access to carefully craft a print job that
would allow them to execute arbitrary code as the user 'lp'. 

A work around for this vulnerability is to remove the print filter for DVI
files.  The following commands, run as root, will accomplish this:

rm -f /usr/share/printconf/mf_rules/mf40-tetex_filters
rm -f /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi

However, to fix the problem in the dvips utility as well as removing the
print filter we recommend that all users upgrade these errata packages
which contain a patch for this issue.

This vulnerability was discovered by Olaf Kirch of SuSE.

Additionally, the file /var/lib/texmf/ls-R had world-writable permissions.
 This is also fixed in the packages referenced in this advisory.

Taking Action
You may address the issues outlined in this advisory in two ways:

     - select your server name by clicking on its name from the list
       available at the following location, and then schedule an
       errata update for it:

     - run the Update Agent on each affected server.

Changing Notification Preferences
To enable/disable your Errata Alert preferences globally please log in to RHN
and navigate from "Your RHN" / "Your Account" to the "Preferences" tab.

        URL: https://rhn.redhat.com/network/my_account/my_prefs.pxt

You can also enable/disable notification on a per system basis by selecting an
individual system from the "Systems List". From the individual system view
click the "Details" tab.

Affected Systems
According to our records, this errata may apply to one or more of the 
systems that you've profiled with Red Hat Network.  To see precisely which 
systems are affected, please go to:

The Red Hat Network Team

This message is being sent by Red Hat Network Alert to:
    RHN user login:        pefunk
    Email address on file: <pf@artcom-gmbh.de>

If you lost your RHN password, you can use the information above to
retrieve it by email from the following address:

To cancel these notices, go to: