Yellow Dog Linux Security Announcement
--------------------------------------

Package:	printtool	
Issue Date: 	December 08, 2001
Priority:	medium		
Advisory ID: 	YDU-20011208-3


1. 	Topic:

	When used in a spooling environment, it is inappropriate to allow programs
	to read arbitrary files as a result of print requests. Ghostscript, a
	postscript interpreter, can read arbitrary system files with the same
	permissions as the print spooler, potentially exposing the system to an
	information compromise.


2. 	Problem:

	Ghostscript, a postscript interpreter, possess various 'file', 'run',
	etc., commands internally. It also provides a -dSAFER flag to restrict the
	use of the commands. However, the -dSAFER flag is meant to protect a user
	from malicious postscript, not to protect a system from inappropriate
	snooping by a user, and so it is still possible to _read_ files in the
	SAFER mode.


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update printtool
		yup update ghostscript
		yup update rhs-printfilters

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
                rpm -Fvh printtool-3.54-2a.noarch.rpm
		rpm -Fvh ghostscript-5.50-19.ppc.rpm
		rpm -Fvh rhs-printfilters-1.81-4.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
7fb79b8a498527501a3f5a52bab296cc  RPMS/printtool-3.54-2a.noarch.rpm
04c53f5f0c977bccb2d4d6df22fa6e18  RPMS/ghostscript-5.50-19.ppc.rpm
8c07f2c2caf2a913105c9378f8173ee4  RPMS/rhs-printfilters-1.81-4.ppc.rpm
48ee46635c191c15e0b39b3a1897e11f  SRPMS/printtool-3.54-2a.src.rpm
14555eec803f53cebfc06e64d399ff80  SRPMS/ghostscript-5.50-19.src.rpm
2308ce22377cf397b173d75c1d4d5a06  SRPMS/rhs-printfilters-1.81-4.src.rpm


If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml