dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories, December 7, 2005

Dec 08, 2005, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 916-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 7th, 2005 http://www.debian.org/security/faq


Package : inkscape
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2005-3737 CVE-2005-3885
BugTraq ID : 14522
Debian Bug : 321501 330894

Several vulnerabilities have been discovered in Inkscape, a vector-based drawing program. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2005-3737

Joxean Koret discovered a buffer overflow in the SVG parsing routines that can lead to the execution of arbitrary code.

CVE-2005-3885

Javier Fernández-Sanguino Peña noticed that the ps2epsi extension shell script uses a hardcoded temporary file making it vulnerable to symlink attacks.

The old stable distribution (woody) does not contain inkscape packages.

For the stable distribution (sarge) this problem has been fixed in version 0.41-4.99.sarge2.

For the unstable distribution (sid) this problem has been fixed in version 0.42.2+0.43pre1-1.

We recommend that you upgrade your inkscape package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2.dsc
      Size/MD5 checksum: 889 8e20fa91e0d4cc48dad356842e279d43
    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2.diff.gz
      Size/MD5 checksum: 19542 16dc49a90ef6362eafb0f1185d1d3341
    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41.orig.tar.gz
      Size/MD5 checksum: 6090081 989a09d06e4db1ddfd00b8019a5dcd73

Alpha architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_alpha.deb
      Size/MD5 checksum: 5976090 cd204ed15f1c5ab0603225d6b98c5b39

AMD64 architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_amd64.deb
      Size/MD5 checksum: 5424440 2cab0898d7275fedb719e98ff1de05ea

ARM architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_arm.deb
      Size/MD5 checksum: 5413996 5b4fd5a1d97408108cc26e0990468d63

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_i386.deb
      Size/MD5 checksum: 5445836 435ce53091c87aeb6979d3b7c75a625e

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_ia64.deb
      Size/MD5 checksum: 6580176 f855d6c9aca23aa045e4d0e391cd3e65

HP Precision architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_hppa.deb
      Size/MD5 checksum: 5894380 f233719364af393e84eb3577c5bd3d90

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_m68k.deb
      Size/MD5 checksum: 5326010 d5a122f8852512d0eef1202fad73d970

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_mips.deb
      Size/MD5 checksum: 5768826 56ea6b35e2340861c4440aa650f2bd62

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_mipsel.deb
      Size/MD5 checksum: 5760476 3f2dc329f2cc5d1597c931a234900931

PowerPC architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_powerpc.deb
      Size/MD5 checksum: 5573546 4310413071b8b30686aefb533c36c09a

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_s390.deb
      Size/MD5 checksum: 5280106 f892057ad430c49c47ad408ed8455c8a

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_sparc.deb
      Size/MD5 checksum: 5350968 1654ffcb98846190a686440f43e691bd

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core


Fedora Update Notification
FEDORA-2005-1125
2005-12-07

Product : Fedora Core 3
Name : gpdf
Version : 2.8.2
Release : 5.2
Summary : viewer for Portable Document Format (PDF) files for GNOME

Description :
This is GPdf, a viewer for Portable Document Format (PDF) files for GNOME. GPdf is based on the Xpdf program and uses additional GNOME libraries for better desktop integration.

GPdf includes the gpdf application, a Bonobo control for PDF display which can be embedded in Nautilus, and a Nautilus property page for PDF files.


Update Information:

Several flaws were discovered in Xpdf, which is used internally by gpdf. An attacker could
construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues.

Users of gpdf should upgrade to this updated package, which contains a patch to resolve these issues.


  • Tue Dec 6 2005 Ray Strode <rstrode@redhat.com> 2.8.2-5.2
    • apply patch for CVE-2005-3193 (bug 175100)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

b9cd74d341bfd9a9c257407c81f9a4c3 SRPMS/gpdf-2.8.2-5.2.src.rpm
04082676195410af9988bbec54d077a1 x86_64/gpdf-2.8.2-5.2.x86_64.rpm
cd07f08c971ab7424449bec211bbf846 x86_64/debug/gpdf-debuginfo-2.8.2-5.2.x86_64.rpm
1ba354c5318dd2556f02b49f4566c56d i386/gpdf-2.8.2-5.2.i386.rpm
6d27c4d5db419da05b21602d594841bb i386/debug/gpdf-debuginfo-2.8.2-5.2.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2005-1126
2005-12-07

Product : Fedora Core 4
Name : tetex
Version : 3.0
Release : 7.FC4
Summary : The TeX text formatting system.

Description :
TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. Usually, TeX is used in conjunction with a higher level formatting package like LaTeX or PlainTeX, since TeX by itself is not very user-friendly.

Install tetex if you want to use the TeX text formatting system. If you are installing tetex, you will also need to install tetex-afm (a PostScript(TM) font converter for TeX), tetex-dvips (for converting .dvi files to PostScript format for printing on PostScript printers), tetex-latex (a higher level formatting package which provides an easier-to-use interface for TeX), and tetex-xdvi (for previewing .dvi files in X). Unless you are an expert at using TeX, you should also install the tetex-doc package, which includes the documentation for TeX.

The Red Hat tetex package also contains software related to Japanese support for teTeX such as ptex, what is not a part of teTeX project.


Update Information:

Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by this bug.The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues.

Users of teTeX should upgrade to this updated package, which contains a patch to resolve these issues.


  • Wed Dec 7 2005 Jindrich Novy <jnovy@redhat.com> 3.0-7.FC4
    • apply patch from Derek Noonburg to fix CVE-2005-3193 xpdf overflows (#175110)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

c9c2edbfb432eab99adeb8d12eb0e428 SRPMS/tetex-3.0-7.FC4.src.rpm
89c83c91630e195891736ae8410308ef ppc/tetex-3.0-7.FC4.ppc.rpm
9f12ecf3e09412eb968d686c89500367 ppc/tetex-latex-3.0-7.FC4.ppc.rpm
aac1f6547f024e7ccc35a1d917ea0956 ppc/tetex-xdvi-3.0-7.FC4.ppc.rpm
4ce4d696e627851dd50046f55ac4bde0 ppc/tetex-dvips-3.0-7.FC4.ppc.rpm
c82cdf20e3decb6691d91a12b15f589b ppc/tetex-afm-3.0-7.FC4.ppc.rpm
cf4c487e1edec55ba2c16af7ac5e1630 ppc/tetex-fonts-3.0-7.FC4.ppc.rpm
90a82c0d8708f7a7bb84a74c709a30c6 ppc/tetex-doc-3.0-7.FC4.ppc.rpm
88fecde9225ee34fe960940a654dd0f5 ppc/debug/tetex-debuginfo-3.0-7.FC4.ppc.rpm
4038c55cb0e62b16fca09333914b16ea x86_64/tetex-3.0-7.FC4.x86_64.rpm
4197a02a32c6b0be00a1c8b1115a8eb3 x86_64/tetex-latex-3.0-7.FC4.x86_64.rpm
04bdd2b1b9cc705a5ababff06cc7dbfa x86_64/tetex-xdvi-3.0-7.FC4.x86_64.rpm
29aa8350a9a8f7e09846b710f5cb4634 x86_64/tetex-dvips-3.0-7.FC4.x86_64.rpm
f865247d37aa5679a06e7becae57de8d x86_64/tetex-afm-3.0-7.FC4.x86_64.rpm
1872fb9c98352a3d0147221d2a7c3c39 x86_64/tetex-fonts-3.0-7.FC4.x86_64.rpm
0f77f10463678ad413ca7aaa0c8760aa x86_64/tetex-doc-3.0-7.FC4.x86_64.rpm
cf6a68c0041f1c0b482905a816f0c64c x86_64/debug/tetex-debuginfo-3.0-7.FC4.x86_64.rpm
49ac41b0799982af0c467191bf49b51a i386/tetex-3.0-7.FC4.i386.rpm
a0dada19f3c39db557d0cecc194d3f4f i386/tetex-latex-3.0-7.FC4.i386.rpm
ebd5dbed238fb43233f9cfaf9111a51b i386/tetex-xdvi-3.0-7.FC4.i386.rpm
53d0709df7a1105c6643d65e88a7b0b1 i386/tetex-dvips-3.0-7.FC4.i386.rpm
5bab1dd4df5f3b57915a777c6fdeb053 i386/tetex-afm-3.0-7.FC4.i386.rpm
c85b4d01615ebd460e7f26345b560765 i386/tetex-fonts-3.0-7.FC4.i386.rpm
10e26b6f01f39716986b6581504ccfda i386/tetex-doc-3.0-7.FC4.i386.rpm
38772851a0226358d85ab8a5db3ab78d i386/debug/tetex-debuginfo-3.0-7.FC4.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2005-1127
2005-12-07

Product : Fedora Core 3
Name : tetex
Version : 2.0.2
Release : 21.5
Summary : The TeX text formatting system.

Description :
TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. Usually, TeX is used in conjunction with a higher level formatting package like LaTeX or PlainTeX, since TeX by itself is not very user-friendly.

Install tetex if you want to use the TeX text formatting system. If you are installing tetex, you will also need to install tetex-afm (a PostScript(TM) font converter for TeX), tetex-dvips (for converting .dvi files to PostScript format for printing on PostScript printers), tetex-latex (a higher level formatting package which provides an easier-to-use interface for TeX), and tetex-xdvi (for previewing .dvi files in X). Unless you are an expert at using TeX, you should also install the tetex-doc package, which includes the documentation for TeX.


Update Information:

Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by this bug.The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues.

Users of teTeX should upgrade to this updated package, which contains a patch to resolve these issues.


  • Tue Dec 6 2005 Jindrich Novy <jnovy@redhat.com> 2.0.2-21.5
    • apply patch from Derek Noonburg to fix CVE-2005-3193, xpdf buffer overflows (#175110)
  • Thu Aug 18 2005 Jindrich Novy <jnovy@redhat.com>
    • support both .Z and .gz files in psfig.sty (#165203)
  • Thu Aug 18 2005 Jindrich Novy <jnovy@redhat.com> 2.0.2-21.4
    • enable languages in babel (#11570)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

802aff298f6378498cdeb9c066907f58 SRPMS/tetex-2.0.2-21.5.src.rpm
3de558321f6874d7f8792c4e2c9c356b x86_64/tetex-2.0.2-21.5.x86_64.rpm
4a5f38be89e62e1e53fc49412e57b49f x86_64/tetex-latex-2.0.2-21.5.x86_64.rpm
6c09295f8a7a7ee13c8fda4fb1666977 x86_64/tetex-xdvi-2.0.2-21.5.x86_64.rpm
92fba9c5adc5833de08718b5b06a8652 x86_64/tetex-dvips-2.0.2-21.5.x86_64.rpm
e6164f5961ec833b73d4ed092b746521 x86_64/tetex-afm-2.0.2-21.5.x86_64.rpm
c09ca851c6e2eb96da58c7f2c5c14332 x86_64/tetex-fonts-2.0.2-21.5.x86_64.rpm
38d16809b3f7349a39b59909cbeeb8e3 x86_64/tetex-doc-2.0.2-21.5.x86_64.rpm
3f00c57a1f36f1ebed167c330459dbd2 x86_64/debug/tetex-debuginfo-2.0.2-21.5.x86_64.rpm
058258ccc8f766fd3f9421bf7edf6e25 i386/tetex-2.0.2-21.5.i386.rpm
c88b931b479a31fc21602dd0313e71fa i386/tetex-latex-2.0.2-21.5.i386.rpm
dd3014f1661eec70e9f539f1ca3879ef i386/tetex-xdvi-2.0.2-21.5.i386.rpm
a14ea2aa8c1d2a98b6bba78ef6d8e695 i386/tetex-dvips-2.0.2-21.5.i386.rpm
691d45e866472cd14c8a20f736545ad3 i386/tetex-afm-2.0.2-21.5.i386.rpm
4a2db4403fc6c342e8ea0b31ec6f0c4c i386/tetex-fonts-2.0.2-21.5.i386.rpm
ea1d7c378365eec467b8a4c73c4fe00e i386/tetex-doc-2.0.2-21.5.i386.rpm
adf1bd365b26efec58a4eb02fd9d9d83 i386/debug/tetex-debuginfo-2.0.2-21.5.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.