Security Advisory Updated Xpdf packages fix security vulnerability.

Advisory: RHSA-2003:196-13
Type: Security Advisory
Severity: N/A
Issued on: 2003-06-18
Last updated on: 2003-07-17
Affected Products: Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9
OVAL: N/A
CVEs (cve.mitre.org): CVE-2003-0434

Details

Updated Xpdf packages are available that fix a vulnerability where a
malicious PDF document could run arbitrary code.

[Updated 16 July 2003]
Updated packages are now available, as the original errata packages did not
fix all possible ways of exploiting this vulnerability.

Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files.

Martyn Gilmore discovered a flaw in various PDF viewers and readers. An
attacker can embed malicious external-type hyperlinks that, if activated or
followed by a victim, can execute arbitrary shell commands. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0434 to this issue.

All users of Xpdf are advised to upgrade to these errata packages, which
contain a backported security patch that corrects this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.1
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/xpdf-0.92-4.71.2.src.rpm
Missing file		     dfdc27db65d2706554a3a35a1e4c7e0a
 
IA-32:
ftp://updates.redhat.com/7.1/en/os/i386/xpdf-0.92-4.71.2.i386.rpm
Missing file		     56083c770c865432ee611c64cffa42f6
 
Red Hat Linux 7.2
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/xpdf-0.92-10.src.rpm
Missing file		     936f5aad703113ac64b3ebd608c21f48
 
IA-32:
ftp://updates.redhat.com/7.2/en/os/i386/xpdf-0.92-10.i386.rpm
Missing file		     3b37ceb7ac361a02b60dddf011a5f58d
 
IA-64:
ftp://updates.redhat.com/7.2/en/os/ia64/xpdf-0.92-10.ia64.rpm
Missing file		     ef4ed48238c8d9bfb7125311aea1d000
 
Red Hat Linux 7.3
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/xpdf-1.00-7.src.rpm
Missing file		     bbbca3b1e966cfbfbf4d05934f289a11
 
IA-32:
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-1.00-7.i386.rpm
Missing file		     5120b76b6af8c48a3311f3d69a3cdaa0
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-chinese-simplified-1.00-7.i386.rpm
Missing file		     ddd9c3f4413e16dac99787715d735c44
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-chinese-traditional-1.00-7.i386.rpm
Missing file		     466a0f0dd7b872ae52458bd395e79d7a
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-japanese-1.00-7.i386.rpm
Missing file		     37390017f6ace8b30b0f5eec13dc31a6
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-korean-1.00-7.i386.rpm
Missing file		     58806d04ec73add2c288b522f792dada
 
Red Hat Linux 8.0
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/xpdf-1.01-12.src.rpm
Missing file		     d067a494ef6880548e68921d6d8f93a2
 
IA-32:
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-1.01-12.i386.rpm
Missing file		     ee5f74ddc384aa52d3d87aa215f4adf2
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-chinese-simplified-1.01-12.i386.rpm
Missing file		     bd0f09fcdb6530d5ea00f0e5812094b3
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-chinese-traditional-1.01-12.i386.rpm
Missing file		     1d1fd8d47f01c2288d0e265d1b3f8307
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-japanese-1.01-12.i386.rpm
Missing file		     5eb08e7781c8a6f347f1f0b9c6c777c7
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-korean-1.01-12.i386.rpm
Missing file		     3afffdb1cfb92d5755cb804bfae1a3c4
 
Red Hat Linux 9
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/xpdf-2.01-11.src.rpm
Missing file		     afb14526ec5cdfe9b0ffb95dc2c63709
 
IA-32:
ftp://updates.redhat.com/9/en/os/i386/xpdf-2.01-11.i386.rpm
Missing file		     142e668bb198b78e25db0202e5b04e04
ftp://updates.redhat.com/9/en/os/i386/xpdf-chinese-simplified-2.01-11.i386.rpm
Missing file		     ef59838e701dc44fcaf6606a4b478377
ftp://updates.redhat.com/9/en/os/i386/xpdf-chinese-traditional-2.01-11.i386.rpm
Missing file		     d96168e7862b86e7a81a36afabdfb25d
ftp://updates.redhat.com/9/en/os/i386/xpdf-japanese-2.01-11.i386.rpm
Missing file		     a805a60fddeb36df6d0ccf79e22199a7
ftp://updates.redhat.com/9/en/os/i386/xpdf-korean-2.01-11.i386.rpm
Missing file		     98208ce3a9324b4a9cc9274d807b26e0
 

Bugs fixed (see bugzilla for more information)

79680 - xpdf packaging issues


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0434
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/