Description of problem: xpdf can execute shell code in malicious external hyperlinks Version-Release number of selected component (if applicable): i assume bug exists in all xpdf versions shipped with rhl releases How reproducible: always pdflatex xpdf-url-run.tex xpdf Steps to Reproduce: 1. pdflatex the file below ---- \documentclass{article} \usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none,pdfstartview=FitH]{hyperref} \begin{document} \href{test`touch ^^24HOME/generated_through_xpdf`}{\texttt{test}} \end{document} ---- 2. open it with xpdf 3. click the link, the file $HOME/generated_through_xpdf is generated Proposed Fix: change the xpdf-1.00-redhat.patch to call "htmlview '%s'" as urlCommand (single quotes added) also useful as a temporary workaround for system adminstrators (affected file is /etc/xpdfrc) Additional Info: see http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
Created attachment 92424 [details] fixed xpdf-1.00-redhat.patch
i have fixed this bug two week ago. I hope it will be pushed as errata this week. Thanks for your report.