Package: xpdf Version: 3.03-4 Severity: grave Tags: security Justification: user security hole
xpdf reads the xpdfrc in the current directory instead of /etc/xpdf/xpdfrc. This is sufficient to introduce a security hole (for instance, urlCommand could be set by the attacker to some executable he wishes...). -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages xpdf depends on: ii lesstif2 1:0.95.2-1 ii libc6 2.13-21 ii libgcc1 1:4.6.1-11 ii libpoppler13 0.16.7-2 ii libstdc++6 4.6.1-11 ii libx11-6 2:1.4.4-1 ii libxt6 1:1.1.1-2 Versions of packages xpdf recommends: ii gsfonts-x11 0.22 ii poppler-data 0.4.5-2 ii poppler-utils 0.16.7-2 xpdf suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
