oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cve request: xpdf: insecure tempfile usage in zxpdf script

From: Josh Bressers <bressers () redhat com>
Date: Tue, 9 Aug 2011 15:48:10 -0400 (EDT)
Please use CVE-2011-2902.

Thanks.

-- 
    JB

----- Original Message -----

Hi,

It was recently discovered that the compressed pdf handler script
(zxpdf) that shipped in the Debian xpdf package handles tempfiles
insecurely. Due to this flaw, a specifically-crafted pdf file name can
be used to delete files from the user's system (by taking advantage of
the tempfile cleanup trap; i.e. "rm -f <part of crafted file name>").

Note that as of version 3.02-13 (uploaded to Debian unstable on March
4th, 2011), the zxpdf became the default xpdf pdf file handler. With
this being a default, the problem was promulgated to a much wider user
base; thus precipitating discovery of the flaw. I've now fixed the
problem in version 3.02-19 (uploaded to unstable on July 29th, 2011,
and
entered testing on July 31st).

Credit goes to Chung-chieh Shan from Harvard for discovering the
issue.
See his bug report for more background and details:
http://bugs.debian.org/635849.

Please assign an id.

Thanks,
Mike
Previous By Date Next
Previous By Thread Next

Current thread: