CVE-2011-2902

Vulnerability

In the Debian packaging of xpdf (versions prior to 3.02-19 in unstable and 3.02-12+squeeze1 in squeeze), the zxpdf script deletes temporary files in an insecure manner. A remote attacker can supply a specially crafted .pdf.gz file name, causing the script to delete arbitrary files on the system rather than its intended temporary file [1][2]. The vulnerability only affects the zxpdf script, which is not associated with PDF handling by default, limiting remote abuse [2].

Exploitation

An attacker must be able to induce a user or automated process to invoke zxpdf on a crafted .pdf.gz file. The attacker crafts a file name that, when processed by the insecure deletion code, causes the script to delete an arbitrary file of the attacker's choosing. No authentication or local access is required beyond the ability to deliver the malicious file name to a user running zxpdf [1][2].

Impact

Successful exploitation allows the remote attacker to delete arbitrary files on the target system, potentially leading to denial of service or system integrity compromise. The attacker only controls the file name, so the impact is limited to deletion of files the process has permission to remove, with no direct code execution [1][2].

Mitigation

The vulnerability is fixed in xpdf version 3.02-12+squeeze1 for Debian squeeze and 3.02-19 for Debian unstable [2]. Users should upgrade to the patched versions. As a workaround, users can avoid using the zxpdf script or restrict access to it, since it is not associated with PDF handling by default, reducing the attack surface [2].