Acrobat reader 4.05 temporary files

Type securityvulns
Reporter Securityvulns
Modified 2002-06-20T00:00:00


        Insecure temporary files in Acrobat Reader 4.05
                  $Date: 2002/06/20 07:21:29 $

Author: Jarno Huuskonen <>

Discovered: Wed 18 Jul 2001

Vendor status: Adobe ( contacted on Thu 19 Jul 2001. Adobe said that they'll look into this. Acrobat Reader 5.05 appears to correct the problem.

Platforms: Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux, but I believe that all 'Unix' versions are affected.

Severity: Low: possible local file overwrite (symlink attack). (For more information about race conditions see[1][2][3]).

Abstract: Acrobat Reader (acroread) creates temporary files in /tmp (or in directory pointed by TMP environment variable) insecurely when opening or printing a pdf document.

Details: Out of curiosity I straced acroread to see if it uses temporary files. From the strace output I noticed that acroread does open temporary files in /tmp (or in $TMP if you have it set) without using O_EXCL, so acroread will follow symbolic links when creating the temporary file. Here is an example from an strace output that shows the problem:

stat("/tmp/Acro48IBR1", 0xbfffe958) = -1 ENOENT (No such file or directory) open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5 ... ... unlink("/tmp/Acro48IBR1") = 0

These temporary files are created at least when opening a document and printing a document (Print To: Printer Command). (I assume the acrobat reader netscape plugin has the same problem. I didn't check this though).

Workaround: Set TMP environment variable to a secure directory (e.g. ~/tmp) before using acrobat reader (and possibly before launching netscape if you use the acrobat plugin). One possible way to achieve this would be to replace the acroread shell script with a script that sets TMP and then execs the original acroread (or directly modify the acroread script if the license permits this).

Solution: Acrobat Reader 5.05 appears to correct this problem. Download the updated version from

References: 1. David A. Wheeler: Secure Programming for Linux and Unix HOWTO.

2. Kris Kennaway's post to Bugtraq about temporary files.

3. Creating Secure Software:

-- Jarno Huuskonen <Jarno.Huuskonen atsign>