ALAS-2012-048


Amazon Linux AMI Security Advisory: ALAS-2012-48
Advisory Release Date: 2014-09-14 15:23 Pacific
Severity: Medium

Issue Overview:

TeX Live embeds a copy of t1lib. The t1lib library allows you to rasterize bitmaps from PostScript Type 1 fonts. The following issues affect t1lib code:

Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by a TeX Live utility, it could cause the utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2010-2642 , CVE-2011-0433 )

An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2011-0764 )

A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2011-1553 )

An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2011-1554 )

An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash. (CVE-2011-1552 )


Affected Packages:

texlive


Issue Correction:
Run yum update texlive to update your system.

New Packages:
i686:
    texlive-dviutils-2007-57.9.amzn1.i686
    kpathsea-2007-57.9.amzn1.i686
    texlive-context-2007-57.9.amzn1.i686
    texlive-afm-2007-57.9.amzn1.i686
    mendexk-2.6e-57.9.amzn1.i686
    texlive-xetex-2007-57.9.amzn1.i686
    texlive-east-asian-2007-57.9.amzn1.i686
    texlive-debuginfo-2007-57.9.amzn1.i686
    texlive-utils-2007-57.9.amzn1.i686
    texlive-dvips-2007-57.9.amzn1.i686
    texlive-latex-2007-57.9.amzn1.i686
    kpathsea-devel-2007-57.9.amzn1.i686
    texlive-2007-57.9.amzn1.i686

src:
    texlive-2007-57.9.amzn1.src

x86_64:
    texlive-dvips-2007-57.9.amzn1.x86_64
    mendexk-2.6e-57.9.amzn1.x86_64
    texlive-2007-57.9.amzn1.x86_64
    kpathsea-2007-57.9.amzn1.x86_64
    texlive-debuginfo-2007-57.9.amzn1.x86_64
    texlive-context-2007-57.9.amzn1.x86_64
    texlive-afm-2007-57.9.amzn1.x86_64
    texlive-latex-2007-57.9.amzn1.x86_64
    texlive-utils-2007-57.9.amzn1.x86_64
    texlive-xetex-2007-57.9.amzn1.x86_64
    texlive-east-asian-2007-57.9.amzn1.x86_64
    texlive-dviutils-2007-57.9.amzn1.x86_64
    kpathsea-devel-2007-57.9.amzn1.x86_64