Home page logo
/

bugtraq logo Bugtraq mailing list archives

Conectiva Linux Security Announcement - xpdf
From: secure () CONECTIVA COM BR
Date: Wed, 13 Sep 2000 09:14:23 -0300

-----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
-----------------------------------------------------------------------

PACKAGE   : xpdf
SUMMARY   : Shell commands in URLs and insecure use of /tmp
DATE      : 2000-09-12 15:31:00
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1

----------------------------------------------------------------------

DESCRIPTION
 Versions prior to 0.91 of xpdf have some security problems:
 1) Insecure file creation in /tmp which could be exploited via
 symlink attacks;
 2) Shell commands inserted in URLs would be expanded and executed by
 the shell when the user opened such an URL from within xpdf.
 Please note that xpdf is not SUID and therefore any attack which uses
 these vulnerabilities will only have the privileges of the user
 running xpdf.


SOLUTION
 All xpdf users should upgrade.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/xpdf-0.91-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/xpdf-0.91-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/xpdf-0.91-1cl.i386.rpm


----------------------------------------------------------------------

All packages are signed with Conectiva's GPG key. The key can be
obtained at http://www.conectiva.com.br/contato

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe () bazar conectiva com br
unsubscribe: atualizacoes-anuncio-unsubscribe () bazar conectiva com br


  By Date           By Thread  

Current thread:
  • Conectiva Linux Security Announcement - xpdf secure (Sep 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]