Bug 97462

Summary: xpdf can execute shell code in malicious external hyperlink
Product: [Retired] Red Hat Linux Reporter: Ronny Buchmann <ronny-rhbugzilla>
Component: xpdfAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 9Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-06-16 13:34:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fixed xpdf-1.00-redhat.patch none

Description Ronny Buchmann 2003-06-16 11:32:44 UTC 
Description of problem:
xpdf can execute shell code in malicious external hyperlinks

Version-Release number of selected component (if applicable):
i assume bug exists in all xpdf versions shipped with rhl releases

How reproducible:
always

pdflatex xpdf-url-run.tex
xpdf 

Steps to Reproduce:
1. pdflatex the file below
----
\documentclass{article}
\usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none,pdfstartview=FitH]{hyperref}
\begin{document}
\href{test`touch
^^24HOME/generated_through_xpdf`}{\texttt{test}}
\end{document}
----
2. open it with xpdf
3. click the link, the file $HOME/generated_through_xpdf is generated
    
Proposed Fix:
change the xpdf-1.00-redhat.patch to call "htmlview '%s'" as urlCommand (single
quotes added)

also useful as a temporary workaround for system adminstrators (affected file is
/etc/xpdfrc)

Additional Info:
see http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
Comment 1 Ronny Buchmann 2003-06-16 13:00:50 UTC 
Created attachment 92424 [details]
fixed xpdf-1.00-redhat.patch
Comment 2 Than Ngo 2003-06-16 13:34:56 UTC 
i have fixed this bug two week ago. I hope it will be pushed as errata this week.

Thanks for your report.