Red Hat Bugzilla – Bug 1027551
CVE-2013-6476 cups-filters: pdftoopvp could load drivers from an attacker-controlled directory
Last modified: 2015-01-04 17:37:50 EST
It was found that the OPVPWrapper::loadDriver() function in the pdftoopvp filter did not restrict the directory drivers could be loaded from. As the driver name can be configured based on a PPD file, processing a PDF in an attacker-controlled directory containing a malicious driver could lead to arbitrary code execution with the privileges of the "lp" user.
This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
This issue has been resolved in upstream cups-filters-1.0.47
Created cups-filters tracking bugs for this issue:
Affects: fedora-all [bug 1074840]