There are two security problems in xpdf, the PDF file viewer.
The first is that temporary files were created insecurely.
The second problem is that xpdf was not cautious enough when the
user clicked on a URL. Xpdf would start the URL viewer (netscape
by default) via the system shell, not properly taking care of
shell meta characters. The advisory is at LWN.net.