[Secure-testing-team] Bug#641941: xpdf reads the xpdfrc file in the current directory
Vincent Lefevre
vincent at vinc17.net
Sun Sep 18 00:45:42 UTC 2011
Package: xpdf
Version: 3.03-4
Severity: grave
Tags: security
Justification: user security hole
xpdf reads the xpdfrc in the current directory instead of
/etc/xpdf/xpdfrc. This is sufficient to introduce a security hole
(for instance, urlCommand could be set by the attacker to some
executable he wishes...).
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xpdf depends on:
ii lesstif2 1:0.95.2-1
ii libc6 2.13-21
ii libgcc1 1:4.6.1-11
ii libpoppler13 0.16.7-2
ii libstdc++6 4.6.1-11
ii libx11-6 2:1.4.4-1
ii libxt6 1:1.1.1-2
Versions of packages xpdf recommends:
ii gsfonts-x11 0.22
ii poppler-data 0.4.5-2
ii poppler-utils 0.16.7-2
xpdf suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list