Yellow Dog Linux Security Announcement
--------------------------------------

Package:	tetex	
Issue Date: 	December 08, 2001
Priority:	high		
Advisory ID: 	YDU-20011208-1


1. 	Topic:

	Updated teTeX packages are available, fixing a temporary file handling
	vulnerability and an insecure invocation of dvips in a print filter.

2. 	Problem:

	A flaw has been discovered in the temporary file handling of some of
	the scripts from the teTeX set of packages. This can, under some
	circumstances, lead to a compromise of the groups that LPRng runs as.
	Several scripts used the current process ID as
	temporary file names and have now been altered to use the 'mktemp'
	program instead.

	Additionally, an insecure invocation of the 'dvips' program has been
	discovered in the print filter used for handling DVI files. This has
	been corrected to use the -R option.


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update tetex

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
                rpm -Fvh tetex-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-latex-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-xdvi-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-dvips-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-dvilij-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-afm-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-fonts-1.0.7-8.1a.ppc.rpm
		rpm -Fvh tetex-doc-1.0.7-8.1a.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
1d4cb37c7b8a7fe9665712a53fb83c55  RPMS/tetex-1.0.7-8.1a.ppc.rpm
f9f43877f86d0eb5cb300d08acf32c24  RPMS/tetex-afm-1.0.7-8.1a.ppc.rpm
ee06a52135474dfcff1e8c373c657f57  RPMS/tetex-doc-1.0.7-8.1a.ppc.rpm
10dc0ec105aa7496b1a48ec92188d2ec  RPMS/tetex-dvilj-1.0.7-8.1a.ppc.rpm
74ccd6b73e6ff3c5ece28d9b300bd9fe  RPMS/tetex-dvips-1.0.7-8.1a.ppc.rpm
934485bd4984b69d30b2261a810be962  RPMS/tetex-fonts-1.0.7-8.1a.ppc.rpm
bc6f680c96ca729d72c63bbf02236b85  RPMS/tetex-latex-1.0.7-8.1a.ppc.rpm
56223c01e58b373b9e004e8e6b5e3a0d  RPMS/tetex-xdvi-1.0.7-8.1a.ppc.rpm
9da85ca8ffe9c02019ddfd7583d2b70a  SRPMS/tetex-1.0.7-8.1a.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml