---

Home Security

Red Hat Security Advisory: xpdf bugfix release

By

Date: Wed, 13 Sep 2000 18:57:00 -0400
From: bugzilla@REDHAT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [RHSA-2000:060-03] xpdf bugfix release

                   Red Hat, Inc. Security Advisory

Synopsis:          xpdf bugfix release
Advisory ID:       RHSA-2000:060-03
Issue date:        2000-09-13
Updated on:        2000-09-13
Product:           Red Hat Linux
Keywords:          security problem in temporary file and malicious URL.
Cross references:  N/A

1. Topic:

Security problem in temporary file and malicious URL.

2. Relevant releases/architectures:

Red Hat Linux 5.2 – i386, alpha, sparc
Red Hat Linux 6.2 – i386, alpha, sparc

3. Problem description:

There is a security problem when using tmpnam() and fopen() in
versions prior to 0.91. The problem is seen when a root user
overwrites files where a symlink is created between the calls to
tmpname() and fopen().

There is also a problem with URL-type links in PDF documents
that contain quote characters which could also be used to execute
arbitrary commands.

The xpdf-0.91 fixes both these security problems.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla
for more info):

N/A

6. RPMs required:

Red Hat Linux 5.2:

sparc:
ftp://updates.redhat.com/5.2/sparc/xpdf-0.91-1.5x.sparc.rpm

alpha:
ftp://updates.redhat.com/5.2/alpha/xpdf-0.91-1.5x.alpha.rpm

i386:
ftp://updates.redhat.com/5.2/i386/xpdf-0.91-1.5x.i386.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/xpdf-0.91-1.5x.src.rpm

Red Hat Linux 6.2:

sparc:
ftp://updates.redhat.com/6.2/sparc/xpdf-0.91-1.6x.sparc.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/xpdf-0.91-1.6x.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/i386/xpdf-0.91-1.6x.i386.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/xpdf-0.91-1.6x.src.rpm

7. Verification:

MD5 sum                           Package Name

1ca613dc77206c3529dab585e6f4fffd 5.2/SRPMS/xpdf-0.91-1.5x.src.rpm
20632cc51819d8a277636bc7e72041ea 5.2/alpha/xpdf-0.91-1.5x.alpha.rpm
da4bfce20f17967f03697f7a141a7883 5.2/i386/xpdf-0.91-1.5x.i386.rpm
1707cdcbe06867e9d927c7c150b856e6 5.2/sparc/xpdf-0.91-1.5x.sparc.rpm
54136dd475eeea9f24bf0f7a1eb2d5d9 6.2/SRPMS/xpdf-0.91-1.6x.src.rpm
db42b309ce51cf80661b1ea43141328b 6.2/alpha/xpdf-0.91-1.6x.alpha.rpm
7a00ef826fa8f5fa37246a78f4ddcc4a 6.2/i386/xpdf-0.91-1.6x.i386.rpm
8f442274085c2bb45c72f2920d4027d3 6.2/sparc/xpdf-0.91-1.6x.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm –checksig <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg <filename>

8. References:

http://www.securityfocus.com/archive/1/79421

Copyright(c) 2000 Red Hat, Inc.

Complete Story
Previous article
Next article

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.