[gentoo-announce] [ GLSA 200711-34 ] CSTeX: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200711-34 ] CSTeX: Multiple vulnerabilities
Date:	Sun, 25 Nov 2007 23:05:24
Message-Id:	`4749FBE9.1060803@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200711-34

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: CSTeX: Multiple vulnerabilities

12

      Date: November 25, 2007

13

      Bugs: #196673

14

        ID: 200711-34

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities were discovered in CSTeX, possibly allowing to

22

execute arbitrary code or overwrite arbitrary files.

23

24

Background

25

==========

26

27

CSTeX is a TeX distribution with Czech and Slovak support. It is used

28

for creating and manipulating LaTeX documents.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package           /  Vulnerable  /                     Unaffected

35

    -------------------------------------------------------------------

36

  1  app-text/cstetex     < 2.0.2-r2                       Vulnerable!

37

    -------------------------------------------------------------------

38

     NOTE: Certain packages are still vulnerable. Users should migrate

39

           to another package if one is available or wait for the

40

           existing packages to be marked stable by their

41

           architecture maintainers.

42

    -------------------------------------------------------------------

43

    -------------------------------------------------------------------

44

     NOTE: Packages marked with asterisks require manual intervention!

45

46

Description

47

===========

48

49

Multiple issues were found in the teTeX 2 codebase that CSTeX builds

50

upon (GLSA 200709-17, GLSA 200711-26). CSTeX also includes vulnerable

51

code from the GD library (GLSA 200708-05), from Xpdf (GLSA 200709-12,

52

GLSA 200711-22) and from T1Lib (GLSA 200710-12).

53

54

Impact

55

======

56

57

Remote attackers could possibly execute arbitrary code and local

58

attackers could possibly overwrite arbitrary files with the privileges

59

of the user running CSTeX via multiple vectors.

60

61

Workaround

62

==========

63

64

There is no known workaround at this time.

65

66

Resolution

67

==========

68

69

CSTeX is not maintained upstream, so the package was masked in Portage.

70

We recommend that users unmerge CSTeX:

71

72

    # emerge --unmerge app-text/cstetex

73

74

As an alternative, users should upgrade their systems to use teTeX or

75

TeX Live with its Babel packages.

76

77

References

78

==========

79

80

  [ 1 ] GLSA 200708-05

81

        http://www.gentoo.org/security/en/glsa/glsa-200708-05.xml

82

  [ 2 ] GLSA 200709-12

83

        http://www.gentoo.org/security/en/glsa/glsa-200709-12.xml

84

  [ 3 ] GLSA 200709-17

85

        http://www.gentoo.org/security/en/glsa/glsa-200709-17.xml

86

  [ 4 ] GLSA 200710-12

87

        http://www.gentoo.org/security/en/glsa/glsa-200710-12.xml

88

  [ 5 ] GLSA 200711-22

89

        http://www.gentoo.org/security/en/glsa/glsa-200711-22.xml

90

  [ 6 ] GLSA 200711-26

91

        http://www.gentoo.org/security/en/glsa/glsa-200711-26.xml

92

93

Availability

94

============

95

96

This GLSA and any updates to it are available for viewing at

97

the Gentoo Security Website:

98

99

  http://security.gentoo.org/glsa/glsa-200711-34.xml

100

101

Concerns?

102

=========

103

104

Security is a primary focus of Gentoo Linux and ensuring the

105

confidentiality and security of our users machines is of utmost

106

importance to us. Any security concerns should be addressed to

107

security@g.o or alternatively, you may file a bug at

108

http://bugs.gentoo.org.

109

110

License

111

=======

112

113

Copyright 2007 Gentoo Foundation, Inc; referenced text

114

belongs to its owner(s).

115

116

The contents of this document are licensed under the

117

Creative Commons - Attribution / Share Alike license.

118

119

http://creativecommons.org/licenses/by-sa/2.5

120

-----BEGIN PGP SIGNATURE-----

121

Version: GnuPG v1.4.7 (GNU/Linux)

122

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

123

124

iD8DBQFHSfvpuhJ+ozIKI5gRAoVzAJ0QA1hHGGptckG6i9xKbBJ+4nVdWQCfbkUJ

125

OO1KLFbdGXmnJpEnZEtLasI=

126

=ebmQ

127

-----END PGP SIGNATURE-----

128

--

129

gentoo-announce@g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200711-34
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: CSTeX: Multiple vulnerabilities
12	Date: November 25, 2007
13	Bugs: #196673
14	ID: 200711-34
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities were discovered in CSTeX, possibly allowing to
22	execute arbitrary code or overwrite arbitrary files.
23
24	Background
25	==========
26
27	CSTeX is a TeX distribution with Czech and Slovak support. It is used
28	for creating and manipulating LaTeX documents.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 app-text/cstetex < 2.0.2-r2 Vulnerable!
37	-------------------------------------------------------------------
38	NOTE: Certain packages are still vulnerable. Users should migrate
39	to another package if one is available or wait for the
40	existing packages to be marked stable by their
41	architecture maintainers.
42	-------------------------------------------------------------------
43	-------------------------------------------------------------------
44	NOTE: Packages marked with asterisks require manual intervention!
45
46	Description
47	===========
48
49	Multiple issues were found in the teTeX 2 codebase that CSTeX builds
50	upon (GLSA 200709-17, GLSA 200711-26). CSTeX also includes vulnerable
51	code from the GD library (GLSA 200708-05), from Xpdf (GLSA 200709-12,
52	GLSA 200711-22) and from T1Lib (GLSA 200710-12).
53
54	Impact
55	======
56
57	Remote attackers could possibly execute arbitrary code and local
58	attackers could possibly overwrite arbitrary files with the privileges
59	of the user running CSTeX via multiple vectors.
60
61	Workaround
62	==========
63
64	There is no known workaround at this time.
65
66	Resolution
67	==========
68
69	CSTeX is not maintained upstream, so the package was masked in Portage.
70	We recommend that users unmerge CSTeX:
71
72	# emerge --unmerge app-text/cstetex
73
74	As an alternative, users should upgrade their systems to use teTeX or
75	TeX Live with its Babel packages.
76
77	References
78	==========
79
80	[ 1 ] GLSA 200708-05
81	http://www.gentoo.org/security/en/glsa/glsa-200708-05.xml
82	[ 2 ] GLSA 200709-12
83	http://www.gentoo.org/security/en/glsa/glsa-200709-12.xml
84	[ 3 ] GLSA 200709-17
85	http://www.gentoo.org/security/en/glsa/glsa-200709-17.xml
86	[ 4 ] GLSA 200710-12
87	http://www.gentoo.org/security/en/glsa/glsa-200710-12.xml
88	[ 5 ] GLSA 200711-22
89	http://www.gentoo.org/security/en/glsa/glsa-200711-22.xml
90	[ 6 ] GLSA 200711-26
91	http://www.gentoo.org/security/en/glsa/glsa-200711-26.xml
92
93	Availability
94	============
95
96	This GLSA and any updates to it are available for viewing at
97	the Gentoo Security Website:
98
99	http://security.gentoo.org/glsa/glsa-200711-34.xml
100
101	Concerns?
102	=========
103
104	Security is a primary focus of Gentoo Linux and ensuring the
105	confidentiality and security of our users machines is of utmost
106	importance to us. Any security concerns should be addressed to
107	security@g.o or alternatively, you may file a bug at
108	http://bugs.gentoo.org.
109
110	License
111	=======
112
113	Copyright 2007 Gentoo Foundation, Inc; referenced text
114	belongs to its owner(s).
115
116	The contents of this document are licensed under the
117	Creative Commons - Attribution / Share Alike license.
118
119	http://creativecommons.org/licenses/by-sa/2.5
120	-----BEGIN PGP SIGNATURE-----
121	Version: GnuPG v1.4.7 (GNU/Linux)
122	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
123
124	iD8DBQFHSfvpuhJ+ozIKI5gRAoVzAJ0QA1hHGGptckG6i9xKbBJ+4nVdWQCfbkUJ
125	OO1KLFbdGXmnJpEnZEtLasI=
126	=ebmQ
127	-----END PGP SIGNATURE-----
128	--
129	gentoo-announce@g.o mailing list

Gentoo Archives: gentoo-announce