The SuSE security team has discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call thesystem function insecurely, which allows an attacker to execute arbitrary commands via cleverly crafted DVI files.
The problem has been fixed in version 1.0.7+20011202-7.1 for the current stable distribution (woody), in version 1.0.6-7.3 for the old stable distribution (potato) and in version 1.0.7+20021025-4 for the unstable distribution (sid).
Users should upgrade their tetex-lib package immediately.
For details, click here.