https://bugzilla.redhat.com/show_bug.cgi?id=573999 I think we just upgraded dvipng per Jan-Ake. I don't believe the current sources are vulnerable. Sorry, no idea about patching TL'09. Good luck.