Vulnerability Note VU#200132
Various UNIX and Linux PDF readers/viewers execute commands embedded within hyperlinks
Overview
A vulnerability in various UNIX and Linux PDF viewers/readers may allow remote attackers to execute arbitrary commands on your system.
Description
Adobe Systems Incorporated describes PDF (Portable Document Format) as "a universal file format that preserves the fonts, images, graphics, and layout of any source document, regardless of the application and platform used to create it." A viewer such as Adobe Reader or Xpdf is needed to view a document encoded in PDF. Various PDF viewers are widely deployed on the Internet. Quoting from the Adobe Systems Incorporated web site: Governments and enterprises around the world have adopted PDF to streamline document management, increase productivity, and reduce reliance on paper....An open file format specification, PDF is available to anyone who wants to develop tools to create, view, or manipulate PDF documents. Indeed, more than 1,800 vendors offer PDF-based solutions, ensuring that organizations that adopt the PDF standard have a variety of tools to leverage the Portable Document Format and to customize document processes. |
Impact
A remote attacker may be able to execute arbitrary commands with the privileges of the victim. |
Solution
Apply a patch when available. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Adobe Systems Incorporated | Affected | 08 May 2003 | 18 Jun 2003 |
| Conectiva | Affected | 15 May 2003 | 22 Sep 2003 |
| Debian | Affected | 15 May 2003 | 19 May 2003 |
| MandrakeSoft | Affected | 15 May 2003 | 14 Jul 2003 |
| Red Hat Inc. | Affected | 15 May 2003 | 19 Jun 2003 |
| Sun Microsystems Inc. | Affected | 15 May 2003 | 17 Jun 2003 |
| Xpdf | Affected | 20 May 2003 | 17 Jun 2003 |
| Apple Computer Inc. | Not Affected | - | 18 Jun 2003 |
| Fujitsu | Not Affected | 15 May 2003 | 08 Aug 2003 |
| Hitachi | Not Affected | 15 May 2003 | 18 Jun 2003 |
| Ingrian Networks | Not Affected | 15 May 2003 | 23 May 2003 |
| Microsoft Corporation | Not Affected | 15 May 2003 | 19 May 2003 |
| NEC Corporation | Not Affected | 15 May 2003 | 16 Jun 2003 |
| Nortel Networks | Not Affected | 15 May 2003 | 14 Jul 2003 |
| Xerox Corporation | Not Affected | 15 May 2003 | 14 Jul 2003 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.adobe.com/products/acrobat/adobepdf.html
- http://www.adobe.com/products/acrobat/readermain.html
- http://www.foolabs.com/xpdf/about.html
- http://www.secunia.com/advisories/9037/
- http://www.secunia.com/advisories/9038/
Credit
This vulnerability was discovered by Martyn Gilmore. The CERT/CC thanks Martyn, Adobe, and the folks responsible for the Xpdf project.
This document was written by Ian A Finlay.
Other Information
- CVE IDs: CAN-2003-0434
- Date Public: 13 Jun 2003
- Date First Published: 18 Jun 2003
- Date Last Updated: 26 Sep 2003
- Severity Metric: 37.97
- Document Revision: 26
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.