Note: This is an archival copy of Security Sun Alert 200778 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000595.1.
Date of Workaround Release
Date of Resolved Release
On Sun Linux 5.0, a local or remote unprivileged user ...
On Sun Linux 5.0, a local or remote unprivileged user may be able to execute arbitrary commands with the privileges of the "xpdf" user if a local unprivileged user clicks on malicious hyperlinks in specifically crafted PDF documents.
This issue is described in Red Hat Advisory RHSA-2003:196-07, available at https://rhn.redhat.com/errata/RHSA-2003-196.html and CVE CAN-2003-0434, available at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0434.
2. Contributing Factors
This issue can occur in the following releases:
Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server.
Note: The currently installed version of "xpdf" can by displayed be issuing the "rpm -q xpdf" command.
There are no reliable symptoms that would show the described issue has been exploited.
To work around the described issue, revoke access to the "xpdf" application by issuing the following command as a root user:
# chmod 000 /usr/bin/xpdf
Once the described issue has been resolved, access rights to to the "xpdf" application can be restored by issuing the following command as a root user:
# chmod 755 /usr/bin/xpdf
This issue is addressed in the following releases:
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Linux 5.0
This solution has no attachment