Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Aug 2011 22:02:13 -0400
From: Michael Gilbert <michael.s.gilbert@...il.com>
To: oss-security@...ts.openwall.com
Subject: cve request: xpdf: insecure tempfile usage in zxpdf script

Hi,

It was recently discovered that the compressed pdf handler script
(zxpdf) that shipped in the Debian xpdf package handles tempfiles
insecurely.  Due to this flaw, a specifically-crafted pdf file name can
be used to delete files from the user's system (by taking advantage of
the tempfile cleanup trap; i.e. "rm -f <part of crafted file name>").  

Note that as of version 3.02-13 (uploaded to Debian unstable on March
4th, 2011), the zxpdf became the default xpdf pdf file handler. With
this being a default, the problem was promulgated to a much wider user
base; thus precipitating discovery of the flaw. I've now fixed the
problem in version 3.02-19 (uploaded to unstable on July 29th, 2011, and
entered testing on July 31st).

Credit goes to Chung-chieh Shan from Harvard for discovering the issue.
See his bug report for more background and details:
http://bugs.debian.org/635849.

Please assign an id.

Thanks,
Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.