Debian Security Advisory DSA 207-1 (tetex-bin)

The remote host is missing an update to tetex-bin announced via advisory DSA 207-1.

The SuSE security team discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call the system() function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files. If dvips is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printer user (usually lp). This problem has been fixed in version 1.0.7+20011202-7.1for the current stable distribution (woody), in version 1.0.6-7.3 for the old stable distribution (potato) and in version 1.0.7+20021025-4 for the unstable distribution (sid). xdvik-ja and dvipsk-ja are vulnerable as well, but link to the kpathsea library dynamically and will automatically be fixed after a new libkpathsea is installed. We recommend that you upgrade your tetex-lib package immediately.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20207-1