________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: xpdf Advisory ID: MDKSA-2003:071-1 Date: July 23rd, 2003 Original Advisory Date: June 27th, 2003 Affected versions: 9.0, 9.1, Corporate Server 2.1 ________________________________________________________________________ Problem Description: Martyn Gilmore discovered flaws in various PDF viewers, including xpdf. An attacker could place malicious external hyperlinks in a document that, if followed, could execute arbitary shell commands with the privileges of the person viewing the PDF document. Update: New packages are available as the previous patches that had been applied did not correct all possible ways of exploiting this issue. ________________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0434 ________________________________________________________________________
The xpdf team patched the referenced vulnerability in version 2.02pl1. An ebuild for this version is already available in portage (xpdf-2.02.1.ebuild). Is there a vulnerability, beyond what has already been patched, keeping this bug open?
Nope. This can be closed in fact. I think we might have missed the window of sending out GLSA's on this one as it seems to have been fixed for some time. Note: Also it looks like 2.03 just hit portage as ~arch masked.