Debian GNU/Linux
Debian Security Advisory DSA 916-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
December 7th, 2005 http://www.debian.org/security/faq
Package : inkscape
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2005-3737 CVE-2005-3885
BugTraq ID : 14522
Debian Bug : 321501 330894
Several vulnerabilities have been discovered in Inkscape, a
vector-based drawing program. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2005-3737
Joxean Koret discovered a buffer overflow in the SVG parsing
routines that can lead to the execution of arbitrary code.
CVE-2005-3885
Javier Fernández-Sanguino Peña
noticed that the ps2epsi extension shell script uses a hardcoded
temporary file making it vulnerable to symlink attacks.
The old stable distribution (woody) does not contain inkscape
packages.
For the stable distribution (sarge) this problem has been fixed
in version 0.41-4.99.sarge2.
For the unstable distribution (sid) this problem has been fixed
in version 0.42.2+0.43pre1-1.
We recommend that you upgrade your inkscape package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2.dsc
Size/MD5 checksum: 889
8e20fa91e0d4cc48dad356842e279d43
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2.diff.gz
Size/MD5 checksum: 19542
16dc49a90ef6362eafb0f1185d1d3341
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41.orig.tar.gz
Size/MD5 checksum: 6090081
989a09d06e4db1ddfd00b8019a5dcd73
Alpha architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_alpha.deb
Size/MD5 checksum: 5976090
cd204ed15f1c5ab0603225d6b98c5b39
AMD64 architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_amd64.deb
Size/MD5 checksum: 5424440
2cab0898d7275fedb719e98ff1de05ea
ARM architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_arm.deb
Size/MD5 checksum: 5413996
5b4fd5a1d97408108cc26e0990468d63
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_i386.deb
Size/MD5 checksum: 5445836
435ce53091c87aeb6979d3b7c75a625e
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_ia64.deb
Size/MD5 checksum: 6580176
f855d6c9aca23aa045e4d0e391cd3e65
HP Precision architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_hppa.deb
Size/MD5 checksum: 5894380
f233719364af393e84eb3577c5bd3d90
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_m68k.deb
Size/MD5 checksum: 5326010
d5a122f8852512d0eef1202fad73d970
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_mips.deb
Size/MD5 checksum: 5768826
56ea6b35e2340861c4440aa650f2bd62
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_mipsel.deb
Size/MD5 checksum: 5760476
3f2dc329f2cc5d1597c931a234900931
PowerPC architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_powerpc.deb
Size/MD5 checksum: 5573546
4310413071b8b30686aefb533c36c09a
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_s390.deb
Size/MD5 checksum: 5280106
f892057ad430c49c47ad408ed8455c8a
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/i/inkscape/inkscape_0.41-4.99.sarge2_sparc.deb
Size/MD5 checksum: 5350968
1654ffcb98846190a686440f43e691bd
These files will probably be moved into the stable distribution
on its next update.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Fedora Core
Fedora Update Notification
FEDORA-2005-1125
2005-12-07
Product : Fedora Core 3
Name : gpdf
Version : 2.8.2
Release : 5.2
Summary : viewer for Portable Document Format (PDF) files for
GNOME
Description :
This is GPdf, a viewer for Portable Document Format (PDF) files for
GNOME. GPdf is based on the Xpdf program and uses additional GNOME
libraries for better desktop integration.
GPdf includes the gpdf application, a Bonobo control for PDF
display which can be embedded in Nautilus, and a Nautilus property
page for PDF files.
Update Information:
Several flaws were discovered in Xpdf, which is used internally
by gpdf. An attacker could
construct a carefully crafted PDF file that could cause gpdf to
crash or possibly execute arbitrary code when opened. The Common
Vulnerabilities and Exposures project assigned the name
CAN-2005-3193 to these issues.
Users of gpdf should upgrade to this updated package, which
contains a patch to resolve these issues.
- Tue Dec 6 2005 Ray Strode <rstrode@redhat.com> 2.8.2-5.2
- apply patch for CVE-2005-3193 (bug 175100)
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
b9cd74d341bfd9a9c257407c81f9a4c3
SRPMS/gpdf-2.8.2-5.2.src.rpm
04082676195410af9988bbec54d077a1
x86_64/gpdf-2.8.2-5.2.x86_64.rpm
cd07f08c971ab7424449bec211bbf846
x86_64/debug/gpdf-debuginfo-2.8.2-5.2.x86_64.rpm
1ba354c5318dd2556f02b49f4566c56d i386/gpdf-2.8.2-5.2.i386.rpm
6d27c4d5db419da05b21602d594841bb
i386/debug/gpdf-debuginfo-2.8.2-5.2.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-1126
2005-12-07
Product : Fedora Core 4
Name : tetex
Version : 3.0
Release : 7.FC4
Summary : The TeX text formatting system.
Description :
TeTeX is an implementation of TeX for Linux or UNIX systems. TeX
takes a text file and a set of formatting commands as input and
creates a typesetter-independent .dvi (DeVice Independent) file as
output. Usually, TeX is used in conjunction with a higher level
formatting package like LaTeX or PlainTeX, since TeX by itself is
not very user-friendly.
Install tetex if you want to use the TeX text formatting system.
If you are installing tetex, you will also need to install
tetex-afm (a PostScript(TM) font converter for TeX), tetex-dvips
(for converting .dvi files to PostScript format for printing on
PostScript printers), tetex-latex (a higher level formatting
package which provides an easier-to-use interface for TeX), and
tetex-xdvi (for previewing .dvi files in X). Unless you are an
expert at using TeX, you should also install the tetex-doc package,
which includes the documentation for TeX.
The Red Hat tetex package also contains software related to
Japanese support for teTeX such as ptex, what is not a part of
teTeX project.
Update Information:
Several flaws were discovered in Xpdf. An attacker could
construct a carefully crafted PDF file that could cause Xpdf to
crash or possibly execute arbitrary code when opened. The teTeX
package contains a copy of the Xpdf code used for parsing PDF files
and is therefore affected by this bug.The Common Vulnerabilities
and Exposures project assigned the name CAN-2005-3193 to these
issues.
Users of teTeX should upgrade to this updated package, which
contains a patch to resolve these issues.
- Wed Dec 7 2005 Jindrich Novy <jnovy@redhat.com> 3.0-7.FC4
- apply patch from Derek Noonburg to fix CVE-2005-3193 xpdf
overflows (#175110)
- apply patch from Derek Noonburg to fix CVE-2005-3193 xpdf
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
c9c2edbfb432eab99adeb8d12eb0e428
SRPMS/tetex-3.0-7.FC4.src.rpm
89c83c91630e195891736ae8410308ef ppc/tetex-3.0-7.FC4.ppc.rpm
9f12ecf3e09412eb968d686c89500367
ppc/tetex-latex-3.0-7.FC4.ppc.rpm
aac1f6547f024e7ccc35a1d917ea0956
ppc/tetex-xdvi-3.0-7.FC4.ppc.rpm
4ce4d696e627851dd50046f55ac4bde0
ppc/tetex-dvips-3.0-7.FC4.ppc.rpm
c82cdf20e3decb6691d91a12b15f589b
ppc/tetex-afm-3.0-7.FC4.ppc.rpm
cf4c487e1edec55ba2c16af7ac5e1630
ppc/tetex-fonts-3.0-7.FC4.ppc.rpm
90a82c0d8708f7a7bb84a74c709a30c6
ppc/tetex-doc-3.0-7.FC4.ppc.rpm
88fecde9225ee34fe960940a654dd0f5
ppc/debug/tetex-debuginfo-3.0-7.FC4.ppc.rpm
4038c55cb0e62b16fca09333914b16ea
x86_64/tetex-3.0-7.FC4.x86_64.rpm
4197a02a32c6b0be00a1c8b1115a8eb3
x86_64/tetex-latex-3.0-7.FC4.x86_64.rpm
04bdd2b1b9cc705a5ababff06cc7dbfa
x86_64/tetex-xdvi-3.0-7.FC4.x86_64.rpm
29aa8350a9a8f7e09846b710f5cb4634
x86_64/tetex-dvips-3.0-7.FC4.x86_64.rpm
f865247d37aa5679a06e7becae57de8d
x86_64/tetex-afm-3.0-7.FC4.x86_64.rpm
1872fb9c98352a3d0147221d2a7c3c39
x86_64/tetex-fonts-3.0-7.FC4.x86_64.rpm
0f77f10463678ad413ca7aaa0c8760aa
x86_64/tetex-doc-3.0-7.FC4.x86_64.rpm
cf6a68c0041f1c0b482905a816f0c64c
x86_64/debug/tetex-debuginfo-3.0-7.FC4.x86_64.rpm
49ac41b0799982af0c467191bf49b51a i386/tetex-3.0-7.FC4.i386.rpm
a0dada19f3c39db557d0cecc194d3f4f
i386/tetex-latex-3.0-7.FC4.i386.rpm
ebd5dbed238fb43233f9cfaf9111a51b
i386/tetex-xdvi-3.0-7.FC4.i386.rpm
53d0709df7a1105c6643d65e88a7b0b1
i386/tetex-dvips-3.0-7.FC4.i386.rpm
5bab1dd4df5f3b57915a777c6fdeb053
i386/tetex-afm-3.0-7.FC4.i386.rpm
c85b4d01615ebd460e7f26345b560765
i386/tetex-fonts-3.0-7.FC4.i386.rpm
10e26b6f01f39716986b6581504ccfda
i386/tetex-doc-3.0-7.FC4.i386.rpm
38772851a0226358d85ab8a5db3ab78d
i386/debug/tetex-debuginfo-3.0-7.FC4.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-1127
2005-12-07
Product : Fedora Core 3
Name : tetex
Version : 2.0.2
Release : 21.5
Summary : The TeX text formatting system.
Description :
TeTeX is an implementation of TeX for Linux or UNIX systems. TeX
takes a text file and a set of formatting commands as input and
creates a typesetter-independent .dvi (DeVice Independent) file as
output. Usually, TeX is used in conjunction with a higher level
formatting package like LaTeX or PlainTeX, since TeX by itself is
not very user-friendly.
Install tetex if you want to use the TeX text formatting system.
If you are installing tetex, you will also need to install
tetex-afm (a PostScript(TM) font converter for TeX), tetex-dvips
(for converting .dvi files to PostScript format for printing on
PostScript printers), tetex-latex (a higher level formatting
package which provides an easier-to-use interface for TeX), and
tetex-xdvi (for previewing .dvi files in X). Unless you are an
expert at using TeX, you should also install the tetex-doc package,
which includes the documentation for TeX.
Update Information:
Several flaws were discovered in Xpdf. An attacker could
construct a carefully crafted PDF file that could cause Xpdf to
crash or possibly execute arbitrary code when opened. The teTeX
package contains a copy of the Xpdf code used for parsing PDF files
and is therefore affected by this bug.The Common Vulnerabilities
and Exposures project assigned the name CAN-2005-3193 to these
issues.
Users of teTeX should upgrade to this updated package, which
contains a patch to resolve these issues.
- Tue Dec 6 2005 Jindrich Novy <jnovy@redhat.com>
2.0.2-21.5- apply patch from Derek Noonburg to fix CVE-2005-3193, xpdf
buffer overflows (#175110)
- apply patch from Derek Noonburg to fix CVE-2005-3193, xpdf
- Thu Aug 18 2005 Jindrich Novy <jnovy@redhat.com>
- support both .Z and .gz files in psfig.sty (#165203)
- Thu Aug 18 2005 Jindrich Novy <jnovy@redhat.com>
2.0.2-21.4- enable languages in babel (#11570)
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
802aff298f6378498cdeb9c066907f58
SRPMS/tetex-2.0.2-21.5.src.rpm
3de558321f6874d7f8792c4e2c9c356b
x86_64/tetex-2.0.2-21.5.x86_64.rpm
4a5f38be89e62e1e53fc49412e57b49f
x86_64/tetex-latex-2.0.2-21.5.x86_64.rpm
6c09295f8a7a7ee13c8fda4fb1666977
x86_64/tetex-xdvi-2.0.2-21.5.x86_64.rpm
92fba9c5adc5833de08718b5b06a8652
x86_64/tetex-dvips-2.0.2-21.5.x86_64.rpm
e6164f5961ec833b73d4ed092b746521
x86_64/tetex-afm-2.0.2-21.5.x86_64.rpm
c09ca851c6e2eb96da58c7f2c5c14332
x86_64/tetex-fonts-2.0.2-21.5.x86_64.rpm
38d16809b3f7349a39b59909cbeeb8e3
x86_64/tetex-doc-2.0.2-21.5.x86_64.rpm
3f00c57a1f36f1ebed167c330459dbd2
x86_64/debug/tetex-debuginfo-2.0.2-21.5.x86_64.rpm
058258ccc8f766fd3f9421bf7edf6e25 i386/tetex-2.0.2-21.5.i386.rpm
c88b931b479a31fc21602dd0313e71fa
i386/tetex-latex-2.0.2-21.5.i386.rpm
dd3014f1661eec70e9f539f1ca3879ef
i386/tetex-xdvi-2.0.2-21.5.i386.rpm
a14ea2aa8c1d2a98b6bba78ef6d8e695
i386/tetex-dvips-2.0.2-21.5.i386.rpm
691d45e866472cd14c8a20f736545ad3
i386/tetex-afm-2.0.2-21.5.i386.rpm
4a2db4403fc6c342e8ea0b31ec6f0c4c
i386/tetex-fonts-2.0.2-21.5.i386.rpm
ea1d7c378365eec467b8a4c73c4fe00e
i386/tetex-doc-2.0.2-21.5.i386.rpm
adf1bd365b26efec58a4eb02fd9d9d83
i386/debug/tetex-debuginfo-2.0.2-21.5.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.