FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

acroread uudecoder input validation error

Affected packages
acroread < 5.0.9
acroread4 < 5.0.9
acroread5 < 5.0.9

Details

VuXML ID 78348ea2-ec91-11d8-b913-000c41e2cdad
Discovery 2004-08-12
Entry 2004-08-12
Modified 2005-01-06

An iDEFENSE security advisory reports:

Remote exploitation of an input validation error in the uudecoding feature of Adobe Acrobat Reader (Unix) 5.0 allows an attacker to execute arbitrary code.

The Unix and Linux versions of Adobe Acrobat Reader 5.0 automatically attempt to convert uuencoded documents back into their original format. The vulnerability specifically exists in the failure of Acrobat Reader to check for the backtick shell metacharacter in the filename before executing a command with a shell. This allows a maliciously constructed filename to execute arbitrary programs.

References

CVE Name CVE-2004-0630
URL http://www.idefense.com/application/poi/display?id=124&type=vulnerabilities