> From [EMAIL PROTECTED] Wed Jul 17 06:27:43 2002 > Date: Wed, 17 Jul 2002 13:47:01 +0200 > From: Roger Brel <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: LPRng: GhostScript PDF conversion problem solved... sort of > > In all my IFHP filter , I use acroread : > pdf_converter=/path/.../acroread -toPostScript > > It's run correctly. > > Roger. >
Please read: http://online.securityfocus.com/archive/1/278984 This is why I cannot recommend using acroread for PDF conversion. --------- Extract of report --------- To: BugTraq Subject: Acrobat reader 5.05 temp file insecurity Date: Jun 24 2002 9:33PM Author: <[EMAIL PROTECTED] (Paul Szabo)> Message-ID: <[EMAIL PROTECTED]> Product: Acrobat Reader version "x86 linux 5.0.5 Apr 25 2002 11:55:36" (Other UNIX versions probably also affected, see Comments.) Problem and exploit: Acroread creates or overwrites the file /tmp/AdobeFnt06.lst.UID, and changes its permissions to wide open (mode 666); it also follows symlinks. The attack is obvious: ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID and wait for victim to use acroread; then we can write his .bashrc. Comments: A similar problem has been reported in acroread 4.05 in August 2001: http://online.securityfocus.com/bid/3225 (apparently reported to Adobe in March 2001 and even in October 1999). The problem is worse in acroread 5.05 than was in 4.05: the file is written in /tmp, not the home directory. (The securityfocus description has since been updated to say that also 5.05 has a problem.) The file /tmp/AdobeFnt06.lst.UID is created on exit. Acroread seems to respect the setting of TMPDIR in the environment: then creates the file in that directory, and sets its permission to a sensible 600. Could we mess with the data in /tmp/AdobeFnt06.lst.UID, to substitute fonts so all PDFs look gibberish; or with enough creativity, to show something else? Could we cause a buffer overflow? ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
