COMMAND

    xpdf

SYSTEMS AFFECTED

    xpdf, xpdf-i

PROBLEM

    There  is  a  potential  race  condation  when  using tmpnam() and
    fopen() in xpdf versions prior to 0.91.  This exploit can be  only
    used as root to overwrite arbitrary files if a symlink is  created
    between  the  calls  to  tmpname()  and  fopen().  There is also a
    problem  with  malicious  URL-type  links  in  PDF  documents that
    contain quote characters which  could also potentially be  used to
    execute arbitrary commands.  This is due to xpdf calling  system()
    with  a  netscape  (or  similar)  command  plus the URL.  The 0.91
    release of xpdf fixes both of these potential problems.   Although
    there  are  no  known  exploits,  users  are encouraged to upgrade
    their system with these updates.

SOLUTION

    Patches for Linux Mandrake:

        Linux-Mandrake 6.0: 6.0/RPMS/xpdf-0.91-4mdk.i586.rpm
                            6.0/SRPMS/xpdf-0.91-4mdk.src.rpm

        Linux-Mandrake 6.1: 6.1/RPMS/xpdf-0.91-4mdk.i586.rpm
                            6.1/SRPMS/xpdf-0.91-4mdk.src.rpm

        Linux-Mandrake 7.0: 7.0/RPMS/xpdf-0.91-4mdk.i586.rpm
                            7.0/SRPMS/xpdf-0.91-4mdk.src.rpm

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/xpdf_0.90-7.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/xpdf_0.90-7.dsc
        http://security.debian.org/dists/stable/updates/main/source/xpdf_0.90.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/xpdf_0.90-7_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/xpdf_0.90-7_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/xpdf_0.90-7_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/xpdf_0.90-7_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/xpdf_0.90-7_sparc.deb

    For Caldera Linux:

        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/xpdf-0.91-3.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/xpdf-0.91-3.src.rpm
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/xpdf-0.91-3.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/xpdf-0.91-3.src.rpm
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/xpdf-0.91-3.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/xpdf-0.91-3.src.rpm

    For RedHat:

        ftp://updates.redhat.com/5.2/sparc/xpdf-0.91-1.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/alpha/xpdf-0.91-1.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/i386/xpdf-0.91-1.5x.i386.rpm
        ftp://updates.redhat.com/5.2/SRPMS/xpdf-0.91-1.5x.src.rpm
        ftp://updates.redhat.com/6.2/sparc/xpdf-0.91-1.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/alpha/xpdf-0.91-1.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/i386/xpdf-0.91-1.6x.i386.rpm
        ftp://updates.redhat.com/6.2/SRPMS/xpdf-0.91-1.6x.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/xpdf-0.91-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/xpdf-0.91-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/xpdf-0.91-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/xpdf-0.91-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/xpdf-0.91-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/xpdf-0.91-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/xpdf-0.91-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/xpdf-0.91-1cl.i386.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/graphics/xpdf-0.91.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/graphics/xpdf-0.91.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/graphics/xpdf-0.91.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/xpdf-0.91.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/graphics/xpdf-0.91.tgz

    xpdf-i < 0.90-7 is vulnerable, too.  But now is fixed.