Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: n-107.txt

UNIX PDF Readers Malicious Hyperlinks Vulnerability (CIAC N-107)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             UNIX PDF readers/viewers Malicious Hyperlinks Vulnerability

June 19, 2003 18:00 GMT                                           Number N-107
[Revised 07 July 03]
[Revised 17 July 03]
______________________________________________________________________________
PROBLEM:       A vulnerability in various UNIX PDF readers/viewers has been 
               found where remote attackers could embed malicious external-type
               hyperlinks in PDF files allowing access to a victim's system.
               This applies only to PDF readers on UNIX/Linux systems.
               Readers on Windows and Macintosh systems are not vulnerable.
PLATFORM:      - Red Hat Linux versions: 9.0, 8.0, 7.3, 7.2, and 7.1 
               - Sun Linux v5.0 (See Sun's Alert Notification)
               - Sun Solaris    (no patch information yet)
               - HP/UX          (no patch information yet) 
               - AIX            (no patch information yet)
DAMAGE:        If a victim clicks on a malicious hyperlink, an attacker could
               execute arbitrary shell commands with the victim's privileges.
SOLUTIONS:     - Apply vendor patches when available. 
               - Upgrade to Adobe Reader v5.07 or XPDF 2.02 pl1 (open-source 
                 version). 
               - Monitor CERT's Vulnerability Note VU#200132 for updated vendor 
                 information.
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. This vulnerability is possible because some
ASSESSMENT:    UNIX/Linux PDF readers/viewers spawn external programs to
               handle hyperlinks by invoking the shell command interpreter.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-107.shtml
 ORIGINAL BULLETIN:  https://rhn.redhat.com/errata/RHSA-2003-196.html
 ADDITIONAL          CERT:
 INFORMATION:        http://www.kb.cert.org/vuls/id/200132
                     Adobe Reader:
                     http://www.adobe.com/products/acrobat/readstep2.html
                     XPDF:
                     http://www.foolabs.com/xpdf/about.html
		     SUN:
		     http://www.sunsolve.sun.com/pub-cgi/
                     retrieve.pl?doc=fsalert%2F55601&zone_32=category%3Asecurity
______________________________________________________________________________

Revision History:  
7/7/03  - Added Sun's Alert link.
7/17/03 - Updated Red Hat Advisory for release of 2nd round of updated packages.

[******  Start of Red Hat, Inc. RHSA-2003:196-13 ******]

Updated Xpdf packages fix security vulnerability

Advisory: RHSA-2003:196-13 
Last updated on: 2003-07-17 
Affected Products: Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9 
CVEs (cve.mitre.org): CAN-2003-0434
 

Details:

Updated Xpdf packages are available that fix a vulnerability where a
malicious PDF document could run arbitrary code.

[Updated 16 July 2003]
Updated packages are now available, as the original errata packages did not
fix all possible ways of exploiting this vulnerability.

Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files.

Martyn Gilmore discovered a flaw in various PDF viewers and readers. An
attacker can embed malicious external-type hyperlinks that, if activated or
followed by a victim, can execute arbitrary shell commands. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0434 to this issue.

All users of Xpdf are advised to upgrade to these errata packages, which
contain a backported security patch that corrects this issue.

Updated packages:

Red Hat Linux 7.1 

--------------------------------------------------------------------------------
 
SRPMS: 
xpdf-0.92-4.71.2.src.rpm
[ via FTP ] [ via HTTP ]     dfdc27db65d2706554a3a35a1e4c7e0a 
  
i386: 
xpdf-0.92-4.71.2.i386.rpm
[ via FTP ] [ via HTTP ]     56083c770c865432ee611c64cffa42f6 
  
Red Hat Linux 7.2 

--------------------------------------------------------------------------------
 
SRPMS: 
xpdf-0.92-10.src.rpm
[ via FTP ] [ via HTTP ]     936f5aad703113ac64b3ebd608c21f48 
  
i386: 
xpdf-0.92-10.i386.rpm
[ via FTP ] [ via HTTP ]     3b37ceb7ac361a02b60dddf011a5f58d 
  
ia64: 
xpdf-0.92-10.ia64.rpm
[ via FTP ] [ via HTTP ]     ef4ed48238c8d9bfb7125311aea1d000 
  
Red Hat Linux 7.3 

--------------------------------------------------------------------------------
 
SRPMS: 
xpdf-1.00-7.src.rpm
[ via FTP ] [ via HTTP ]     bbbca3b1e966cfbfbf4d05934f289a11 
  
i386: 
xpdf-1.00-7.i386.rpm
[ via FTP ] [ via HTTP ]     5120b76b6af8c48a3311f3d69a3cdaa0 
xpdf-chinese-simplified-1.00-7.i386.rpm
[ via FTP ] [ via HTTP ]     ddd9c3f4413e16dac99787715d735c44 
xpdf-chinese-traditional-1.00-7.i386.rpm
[ via FTP ] [ via HTTP ]     466a0f0dd7b872ae52458bd395e79d7a 
xpdf-japanese-1.00-7.i386.rpm
[ via FTP ] [ via HTTP ]     37390017f6ace8b30b0f5eec13dc31a6 
xpdf-korean-1.00-7.i386.rpm
[ via FTP ] [ via HTTP ]     58806d04ec73add2c288b522f792dada 
  
Red Hat Linux 8.0 

--------------------------------------------------------------------------------
 
SRPMS: 
xpdf-1.01-12.src.rpm
[ via FTP ] [ via HTTP ]     d067a494ef6880548e68921d6d8f93a2 
  
i386: 
xpdf-1.01-12.i386.rpm
[ via FTP ] [ via HTTP ]     ee5f74ddc384aa52d3d87aa215f4adf2 
xpdf-chinese-simplified-1.01-12.i386.rpm
[ via FTP ] [ via HTTP ]     bd0f09fcdb6530d5ea00f0e5812094b3 
xpdf-chinese-traditional-1.01-12.i386.rpm
[ via FTP ] [ via HTTP ]     1d1fd8d47f01c2288d0e265d1b3f8307 
xpdf-japanese-1.01-12.i386.rpm
[ via FTP ] [ via HTTP ]     5eb08e7781c8a6f347f1f0b9c6c777c7 
xpdf-korean-1.01-12.i386.rpm
[ via FTP ] [ via HTTP ]     3afffdb1cfb92d5755cb804bfae1a3c4 
  
Red Hat Linux 9 

--------------------------------------------------------------------------------
 
SRPMS: 
xpdf-2.01-11.src.rpm
[ via FTP ] [ via HTTP ]     afb14526ec5cdfe9b0ffb95dc2c63709 
  
i386: 
xpdf-2.01-11.i386.rpm
[ via FTP ] [ via HTTP ]     142e668bb198b78e25db0202e5b04e04 
xpdf-chinese-simplified-2.01-11.i386.rpm
[ via FTP ] [ via HTTP ]     ef59838e701dc44fcaf6606a4b478377 
xpdf-chinese-traditional-2.01-11.i386.rpm
[ via FTP ] [ via HTTP ]     d96168e7862b86e7a81a36afabdfb25d 
xpdf-japanese-2.01-11.i386.rpm
[ via FTP ] [ via HTTP ]     a805a60fddeb36df6d0ccf79e22199a7 
xpdf-korean-2.01-11.i386.rpm
[ via FTP ] [ via HTTP ]     98208ce3a9324b4a9cc9274d807b26e0 
  

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.



Bugs fixed:  (see bugzilla for more information)

79680 - xpdf packaging issues


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0434
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html 

--------------------------------------------------------------------------------
The listed packages are GPG signed by Red Hat, Inc. for security. Our key is 
available at:
http://www.redhat.com/solutions/security/news/publickey/#key 
You can verify each package and see who signed it with the following command:

rpm --checksig -v filename 
If you only wish to verify that each package has not been corrupted or tampered 
with, examine only the md5sum with the following command:

md5sum filename 
The Red Hat security contact is security@redhat.com. More contact details at 
http://www.redhat.com/solutions/security/news/contact.html
 
 
Copyright  2002 Red Hat, Inc. All rights reserved. 

 
[******  End of Red Hat, Inc. RHSA-2003:196-13 ******]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat, Inc. and CERT for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-097: Red Hat Updated Tcpdump Packages
N-098: Microsoft Cumulative Patch for Internet Information Service (IIS)
N-099: Apache 2.0.46 Release Fixes Security Vulnerabilities
N-100: Microsoft Windows Media Services ISAPI Extenstion Flaw
N-101: Microsoft Cumulative Patch for Internet Explorer (IE)
N-102: Hewlett-Packard Potential Security Vulnerabilities in CDE
N-103: Sun ONE Application Server May Disclose JavaServer Pages (JSP) Source
N-104: Red Hat Updated KDE packages
N-105: Sun "/usr/lib/utmp_update" Command Buffer Overflow Vulnerability
N-106: SGI Websetup/Webmin Security Vulnerability


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH