Several critical vulnerabilities in Xpdf patched
An update for the free open source PDF viewer Xpdf fixes several critical vulnerabilities, some of which could allow for the injection and execution of arbitrary code. The cause of the problems are buffer overflows stemming from vulnerabilities in the JBIG2 decoder, which were recently patched by Adobe in it's Reader products. The vulnerabilities affect Xpdf 3.x and can be exploited when a user opens a specially crafted PDF document.
The Linux distributor Red Hat lists a total of ten vulnerabilities on it's web site, of which seven allow for an infection and three only lead to crashing the application. The official Xpdf 3.02pl3 release from Foolabs fixes the problems and a patch(direct download link) is also available. Other Linux distribution providers are also providing updated packages to address the Xpdf vulnerabilities.
Since other applications, such as KOffice, use parts of the Xpdf code base, they could also be vulnerable. However, so far, there is no news on this.
See also:
- xpdf security update, advisory from Red Hat.
- Adobe fixes critical vulnerability in Unix versions of Acrobat and Reader, a report from The H.
(crve)