Security update for texlive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:3033-2 Final 1 1 2019-02-21T12:16:48Z current 2019-02-21T12:16:48Z 2019-02-21T12:16:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for texlive This update for texlive fixes the following issue: - CVE-2018-17407: Prevent buffer overflow when handling of Type 1 fonts allowed arbitrary code execution when a malicious font was loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex (bsc#1109673) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-OpenStack-Cloud-7-2019-458,SUSE-SLE-SAP-12-SP2-2019-458,SUSE-SLE-SERVER-12-2019-458,SUSE-SLE-SERVER-12-SP1-2019-458,SUSE-SLE-SERVER-12-SP2-2019-458,SUSE-SLE-SERVER-12-SP2-BCL-2019-458,SUSE-Storage-4-2019-458 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20183033-2/ Link for SUSE-SU-2018:3033-2 https://lists.suse.com/pipermail/sle-security-updates/2019-February/005144.html E-Mail link for SUSE-SU-2018:3033-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1109673 SUSE Bug 1109673 https://www.suse.com/security/cve/CVE-2018-17407/ SUSE CVE CVE-2018-17407 page SUSE Enterprise Storage 4 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE OpenStack Cloud 7 libkpathsea6-6.2.0dev-22.3.1 libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE Enterprise Storage 4 libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE Linux Enterprise Server 12 SP2-LTSS libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE Linux Enterprise Server 12-LTSS libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libkpathsea6-6.2.0dev-22.3.1 as a component of SUSE OpenStack Cloud 7 An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex. CVE-2018-17407 SUSE Enterprise Storage 4:libkpathsea6-6.2.0dev-22.3.1 SUSE Linux Enterprise Server 12 SP1-LTSS:libkpathsea6-6.2.0dev-22.3.1 SUSE Linux Enterprise Server 12 SP2-BCL:libkpathsea6-6.2.0dev-22.3.1 SUSE Linux Enterprise Server 12 SP2-LTSS:libkpathsea6-6.2.0dev-22.3.1 SUSE Linux Enterprise Server 12-LTSS:libkpathsea6-6.2.0dev-22.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libkpathsea6-6.2.0dev-22.3.1 SUSE OpenStack Cloud 7:libkpathsea6-6.2.0dev-22.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183033-2/ https://www.suse.com/security/cve/CVE-2018-17407.html CVE-2018-17407 https://bugzilla.suse.com/1109673 SUSE Bug 1109673 https://bugzilla.suse.com/1125938 SUSE Bug 1125938 https://bugzilla.suse.com/1126909 SUSE Bug 1126909