According to a report from Red Hat, two vulnerabilities in the free PDF reader Xpdf can be exploited via manipulated PDF documents to compromise a victim's system. The flaws are reportedly due to an uninitialised pointer and an array index error.

These problems extend to a number of applications that use the Xpdf code, including, poppler, CUPS, gPDF and KPDF. However, Red Hat hasn't released specific information about affected versions. Whether the document viewer Evince, which relies on poppler, is also affected is unknown.

Red Hat has made updated packages available for all listed products. According to security specialists Secunia the poppler developers closed the gaps in their repository three weeks ago. The status of other products is currently unclear. If the packages of other distributors are affected it seems likely they will soon follow suit with updates.

Update - The poppler developers have confirmed that the bugs are fixed in poppler version 0.14.4

(trk)