Jon Larimer

**Name of the Vulnerable Software and Affected Versions** texlive-debuginfo-2007 versions 2007 texlive-dviutils-2007 versions 2007 texlive-context-2007 versions 2007 texlive-utils-2007 versions 2007 texlive-2007 versions 2007 t1lib versions 5.1.2 and earlier texlive-dvips-2007 versions 2007 texlive-xetex-2007 versions 2007 mendexk-2.6e versions 2.6e texlive-afm-2007 versions 2007 kpathsea-2007 versions 2007 kpathsea-devel-2007 versions 2007 texlive-east-asian-2007 versions 2007 texlive-latex-2007 versions 2007 **Description** The issue is related to multiple vulnerabilities in various packages of the texlive and t1lib software, which can lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A heap-based buffer overflow in the AFM font parser in the dvi-backend component allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted font in conjunction with a DVI file. **Recommendations** For texlive-debuginfo-2007 version 2007, update to a newer version. For texlive-dviutils-2007 version 2007, update to a newer version. For texlive-context-2007 version 2007, update to a newer version. For texlive-utils-2007 version 2007, update to a newer version. For texlive-2007 version 2007, update to a newer version. For t1lib version 5.1.2 and earlier, update to a newer version. For texlive-dvips-2007 version 2007, update to a newer version. For texlive-xetex-2007 version 2007, update to a newer version. For mendexk-2.6e version 2.6e, update to a newer version. For texlive-afm-2007 version 2007, update to a newer version. For kpathsea-2007 version 2007, update to a newer version. For kpathsea-devel-2007 version 2007, update to a newer version. For texlive-east-asian-2007 version 2007, update to a newer version. For texlive-latex-2007 version 2007, update to a newer version. As a temporary workaround, consider disabling the AFM font parser in the dvi-backend component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Evince versions 2.32 and earlier **Description** The issue is related to an array index error in the PK font parser of the dvi-backend component. This error can be exploited by remote attackers to cause a denial of service, resulting in an application crash, or possibly execute arbitrary code. The exploitation involves a crafted font used in conjunction with a DVI file that is processed by the thumbnailer. **Recommendations** For Evince versions 2.32 and earlier, consider disabling the thumbnailer feature until a patch is available to prevent potential exploitation. Additionally, restrict access to the dvi-backend component to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evince versions 2.32 and earlier **Description** The issue is related to an array index error in the VF font parser within the dvi-backend component. This error can be triggered by remote attackers using a crafted font in conjunction with a DVI file that is processed by the thumbnailer, potentially leading to a denial of service (application crash) or possibly the execution of arbitrary code. **Recommendations** For Evince versions 2.32 and earlier, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evince versions 2.32 and earlier **Description** The issue is related to an integer overflow in the TFM font parser. This allows remote attackers to execute arbitrary code through a crafted font in conjunction with a DVI file that is processed by the thumbnailer. **Recommendations** For Evince versions 2.32 and earlier, consider disabling the thumbnailer or restricting the processing of DVI files until a patch is available. As a temporary workaround, avoid using the dvi-backend component with untrusted font sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.