oss-sec mailing list archives
cve request: xpdf: insecure tempfile usage in zxpdf script
From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Wed, 3 Aug 2011 22:02:13 -0400
Hi, It was recently discovered that the compressed pdf handler script (zxpdf) that shipped in the Debian xpdf package handles tempfiles insecurely. Due to this flaw, a specifically-crafted pdf file name can be used to delete files from the user's system (by taking advantage of the tempfile cleanup trap; i.e. "rm -f <part of crafted file name>"). Note that as of version 3.02-13 (uploaded to Debian unstable on March 4th, 2011), the zxpdf became the default xpdf pdf file handler. With this being a default, the problem was promulgated to a much wider user base; thus precipitating discovery of the flaw. I've now fixed the problem in version 3.02-19 (uploaded to unstable on July 29th, 2011, and entered testing on July 31st). Credit goes to Chung-chieh Shan from Harvard for discovering the issue. See his bug report for more background and details: http://bugs.debian.org/635849. Please assign an id. Thanks, Mike
Current thread:
- cve request: xpdf: insecure tempfile usage in zxpdf script Michael Gilbert (Aug 03)
- Re: cve request: xpdf: insecure tempfile usage in zxpdf script Josh Bressers (Aug 09)