Two CVE ids were assigned for the issues discovered in pdfjam: CVE-2008-5743: pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack. CVE-2008-5843: Multiple untrusted search path vulnerabilities in pdfjam allow local users to gain privileges via a Trojan horse program in (1) the current working directory or (2) /var/tmp, related to the (a) pdf90, (b) pdfjoin, and (c) pdfnup scripts. References: https://bugzilla.novell.com/show_bug.cgi?id=459031 https://bugs.gentoo.org/show_bug.cgi?id=252734 http://www.openwall.com/lists/oss-security/2008/12/19/3 http://www.securityfocus.com/bid/32931 http://secunia.com/advisories/33278 Proposed patch to address both issue is attached in the Gentoo BZ: https://bugs.gentoo.org/show_bug.cgi?id=252734#c2
pdfjam-1.21-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pdfjam-1.21-1.fc9
pdfjam-1.21-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/pdfjam-1.21-1.fc10
pdfjam-1.21-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
pdfjam-1.21-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.