PT-2002-3170 · Tetex · Tetex-Fonts+8

Published

1970-01-01

·

Updated

2016-10-18

·

CVE-2002-0836

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions tetex-dev versions (affected versions not specified) tetex-dvips versions 1.0.6 through 1.0.7 tetex-afm versions 1.0.6 through 1.0.7 tetex-fonts versions 1.0.6 through 1.0.7 tetex-xdvi versions 1.0.6 through 1.0.7 tetex-latex versions 1.0.6 through 1.0.7 tetex-dvilj versions 1.0.6 through 1.0.7 tetex-lib versions (affected versions not specified) tetex versions 1.0.6 through 1.0.7
Description The issue involves multiple vulnerabilities in the tetex package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The dvips converter for Postscript files in the tetex package calls the system() function insecurely, allowing remote attackers to execute arbitrary commands via certain print jobs, possibly involving fonts.
Recommendations For tetex-dev, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For tetex-dvips versions 1.0.6 through 1.0.7, consider disabling the dvips converter as a temporary workaround until a patch is available. For tetex-afm versions 1.0.6 through 1.0.7, restrict access to the afm module to minimize the risk of exploitation. For tetex-fonts versions 1.0.6 through 1.0.7, avoid using the fonts parameter in the affected API endpoint until the issue is resolved. For tetex-xdvi versions 1.0.6 through 1.0.7, consider disabling the xdvi function as a temporary workaround until a patch is available. For tetex-latex versions 1.0.6 through 1.0.7, restrict access to the latex module to minimize the risk of exploitation. For tetex-dvilj versions 1.0.6 through 1.0.7, consider disabling the dvilj function as a temporary workaround until a patch is available. For tetex-lib, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For tetex versions 1.0.6 through 1.0.7, consider disabling the vulnerable functions as a temporary workaround until a patch is available.
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

BDU:2015-04028
BDU:2015-04029
BDU:2015-08226
BDU:2015-08227
BDU:2015-08228
BDU:2015-08229
BDU:2015-08232
BDU:2015-08233
BDU:2015-08234
BDU:2015-08235
BDU:2015-08236
BDU:2015-08237
BDU:2015-08238
BDU:2015-08239
BDU:2015-08240
BDU:2015-08241
CVE-2002-0836
DSA-207

Affected Products

Tetex
Tetex-Afm
Tetex-Dev
Tetex-Dvilj
Tetex-Dvips
Tetex-Fonts
Tetex-Latex
Tetex-Lib
Tetex-Xdvi