[glug-t] Bug in PDF viewer

Bug in PDF viewer - news from linuxdevices.com

CERT has identified a potential vulnerability in popular Portable Document File 
(PDF) readers and viewers. In the words of the CERT advisory . . . 
"When a victim clicks on a hyperlink contained within a malicious PDF file, an 
attacker may be able to execute arbitrary commands with the privileges of the 
victim. This is possible because some UNIX/Linux PDF readers/viewers spawn 
external programs to handle hyperlinks by invoking the shell command 
interpreter."
Updates are rapidly being released for popular PDF reader/viewer programs such 
as Adobe Reader, xpdf, etc.

CERT's full advisory regarding PDF readers/viewers is here ("Vulnerability Note 
VU#200132").

xpdf bug fixed from www.foolabs.com

Xpdf 2.02pl1 was released 2003-jun-16. 

This version includes a small patch that fixes a security hole in version 2.02. 
It was possible to construct a malicious URL link in a PDF file which would 
cause an arbitrary command to be run. The patch changes things to that the 
various characters which can cause trouble are escaped (%xx) before calling 
system(). This patch also changes the "launch" link verification dialog to 
provde a scrolling view of the command about to be run when the command string 
is excessively long. 

This security hole (and the patch) only affect the Unix viewer -- they do not 
affect the command tools on Unix, Windows, or other operating systems. 

-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze
---------------------------------------------------------------
To unsubscribe send a mail to glug_t-request@xxxxxxxxxxxxx with 
'unsubscribe' as subject.

Website: http://glugt.linuxisle.com

Other related posts: