dvips uses system() function insecurely thereby allowing arbitrary command execution



Vendor Statement

Debian Security Advisory DSA 207-1                                        Martin Schulze
December 11th, 2002           
Package        : tetex-bin
Vulnerability  : arbitrary command execution
Problem-type   : remote
Debian-specific: no
CVE Id         : CAN-2002-0836

The SuSE security team discovered a vulnerability in kpathsea library
(libkpathsea) which is used by xdvi and dvips.  Both programs call the
system() function insecurely, which allows a remote attacker to
execute arbitrary commands via cleverly crafted DVI files.

If dvips is used in a print filter, this allows a local or remote
attacker with print permission execute arbitrary code as the printer
user (usually lp).

This problem has been fixed in version 1.0.7+20011202-7.1for the
current stable distribution (woody), in version 1.0.6-7.3 for the old
stable distribution (potato) and in version 1.0.7+20021025-4 for the
unstable distribution (sid).  xdvik-ja and dvipsk-ja are vulnerable as
well, but link to the kpathsea library dynamically and will
automatically be fixed after a new libkpathsea is installed.

We recommend that you upgrade your tetex-lib package immediately.

  These files will probably be moved into the stable distribution on
 its next revision.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

