FS#36818 - [xpdf] security patch for CVE-2012-2142-xpdf
Attached to Project:
Arch Linux
Opened by RbN (RbN) - Saturday, 07 September 2013, 09:53 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 08 September 2013, 17:19 GMT
Opened by RbN (RbN) - Saturday, 07 September 2013, 09:53 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 08 September 2013, 17:19 GMT
|
Details
Description:
xpdf use the same codebase as poppler, just slightly diverged. Poppler package has been fixed, but xpdf not. "An insufficient escape sequences sanitization flaw was found in the way xpdf, a PDF file viewer for the X window system, performed sanitization of certain characters to be displayed in the error messages, which arose during presentation of certain PDF files. A remote attacker could use this flaw to modify a window's title, or, possibly execute arbitrary commands or overwrite files, via a specially-crafted PDF file containing an escape sequence for a terminal emulator if local, unsuspecting user opened such crafted PDF file in xpdf." Redhat buzilla entry : https://bugzilla.redhat.com/show_bug.cgi?id=789936 oss-sec thread : http://www.openwall.com/lists/oss-security/2013/08/11/1 Patch (from oss-sec): http://sourceforge.net/projects/miscellaneouspa/postdownload?source=dlp This code was adapted from the Poppler project fix. Not tested. |
This task depends upon
Closed by Gaetan Bisson (vesath)
Sunday, 08 September 2013, 17:19 GMT
Reason for closing: Fixed
Additional comments about closing: xpdf-3.03-4 in [extra]
Sunday, 08 September 2013, 17:19 GMT
Reason for closing: Fixed
Additional comments about closing: xpdf-3.03-4 in [extra]