acroread uudecoder input validation error

ID 78348EA2-EC91-11D8-B913-000C41E2CDAD
Type freebsd
Reporter FreeBSD
Modified 2005-01-06T00:00:00


An iDEFENSE security advisory reports:

Remote exploitation of an input validation error in the uudecoding feature of Adobe Acrobat Reader (Unix) 5.0 allows an attacker to execute arbitrary code. The Unix and Linux versions of Adobe Acrobat Reader 5.0 automatically attempt to convert uuencoded documents back into their original format. The vulnerability specifically exists in the failure of Acrobat Reader to check for the backtick shell metacharacter in the filename before executing a command with a shell. This allows a maliciously constructed filename to execute arbitrary programs.