blob: b0725cb053f3ec9fc4832bdd72d0b1a05c0fde37 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200903-05">
<title>PDFjam: Multiple vulnerabilities</title>
Multiple vulnerabilities in the PDFjam scripts allow for local privilege
<product type="ebuild">pdfjam</product>
<announced>March 07, 2009</announced>
<revised>March 07, 2009: 01</revised>
<package name="app-text/pdfjam" auto="yes" arch="*">
<unaffected range="ge">1.20-r1</unaffected>
<vulnerable range="lt">1.20-r1</vulnerable>
PDFjam is a small collection of shell scripts to edit PDF documents,
including pdfnup, pdfjoin and pdf90.
Martin Vaeth reported multiple untrusted search path vulnerabilities
<li>Marcus Meissner of the SUSE Security Team reported that
temporary files are created with a predictable name (CVE-2008-5743).
</ul> <p>
<impact type="normal">
A local attacker could place a specially crafted Python module in the
current working directory or the /var/tmp directory, and entice a user
to run the PDFjam scripts, leading to the execution of arbitrary code
with the privileges of the user running the application. A local
attacker could also leverage symlink attacks to overwrite arbitrary
There is no known workaround at this time.
All PDFjam users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=app-text/pdfjam-1.20-r1&quot;</code>
<uri link="">CVE-2008-5843</uri>
<uri link="">CVE-2008-5743</uri>
<metadata tag="requester" timestamp="Fri, 23 Jan 2009 21:30:23 +0000">
<metadata tag="submitter" timestamp="Thu, 12 Feb 2009 16:57:17 +0000">
<metadata tag="bugReady" timestamp="Thu, 12 Feb 2009 16:57:35 +0000">