Date: Wed, 3 Aug 2011 22:02:13 -0400 From: Michael Gilbert <michael.s.gilbert@...il.com> To: oss-security@...ts.openwall.com Subject: cve request: xpdf: insecure tempfile usage in zxpdf script Hi, It was recently discovered that the compressed pdf handler script (zxpdf) that shipped in the Debian xpdf package handles tempfiles insecurely. Due to this flaw, a specifically-crafted pdf file name can be used to delete files from the user's system (by taking advantage of the tempfile cleanup trap; i.e. "rm -f <part of crafted file name>"). Note that as of version 3.02-13 (uploaded to Debian unstable on March 4th, 2011), the zxpdf became the default xpdf pdf file handler. With this being a default, the problem was promulgated to a much wider user base; thus precipitating discovery of the flaw. I've now fixed the problem in version 3.02-19 (uploaded to unstable on July 29th, 2011, and entered testing on July 31st). Credit goes to Chung-chieh Shan from Harvard for discovering the issue. See his bug report for more background and details: http://bugs.debian.org/635849. Please assign an id. Thanks, Mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.