Security Advisory Updated Xpdf packages fix security vulnerability

Advisory: RHSA-2003:216-04
Type: Security Advisory
Severity: N/A
Issued on: 2003-06-30
Last updated on: 2003-06-30
Affected Products: Red Hat Linux 7.1 for iSeries
Red Hat Linux 7.1 for pSeries
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-1384
CVE-2003-0434

Details

Updated Xpdf packages are available that fix a vulnerability where a
malicious PDF document could run arbitrary code.

Xpdf is an X Window System based viewer for Portable Document Format (PDF)
files.

During an audit of CUPS, a printing system, Zen Parsec found an integer
overflow vulnerability in the pdftops filter. Since the code for pdftops is
taken from the Xpdf project, all versions of Xpdf including 2.01 are also
vulnerable to this issue. An attacker could create a PDF file that could
execute arbitrary code. This code would have the same access privileges as
the user who viewed the file with Xpdf.

Martyn Gilmore discovered a flaw in various PDF viewers and readers. An
attacker can embed malicious external-type hyperlinks that, if activated or
followed by a victim, can execute arbitrary shell commands. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0434 to this issue.

All users of Xpdf are advised to upgrade to these erratum packages, which
contain a patch correcting this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.1 for iSeries
SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/xpdf-0.92-4.71.1.src.rpm
Missing file		     a877047ec8229687e1f98bbc8d9eae79
 
iSeries:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/xpdf-0.92-4.71.1.ppc.rpm
Missing file		     f57d9764a5a5282c3982de3996164d49
 
Red Hat Linux 7.1 for pSeries
SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/xpdf-0.92-4.71.1.src.rpm
Missing file		     a877047ec8229687e1f98bbc8d9eae79
 
pSeries:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/xpdf-0.92-4.71.1.ppc.rpm
Missing file		     f57d9764a5a5282c3982de3996164d49
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0434
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/