Rapid7 Vulnerability & Exploit Database

RHSA-2003:216: Updated Xpdf packages fix security vulnerability

Back to Search

RHSA-2003:216: Updated Xpdf packages fix security vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
07/24/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated Xpdf packages are available that fix a vulnerability where a malicious PDF document could run arbitrary code.

Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. During an audit of CUPS, a printing system, Zen Parsec found an integer overflow vulnerability in the pdftops filter. Since the code for pdftops is taken from the Xpdf project, all versions of Xpdf including 2.01 are also vulnerable to this issue. An attacker could create a PDF file that could execute arbitrary code. This code would have the same access privileges as the user who viewed the file with Xpdf. Martyn Gilmore discovered a flaw in various PDF viewers and readers. An attacker can embed malicious external-type hyperlinks that, if activated or followed by a victim, can execute arbitrary shell commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0434 to this issue. All users of Xpdf are advised to upgrade to these erratum packages, which contain a patch correcting this issue.

Solution(s)

  • redhat-upgrade-xpdf

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;