Bug#723124: marked as done (/usr/bin/pdfseparate: pdfseparate segfault based on filenames (possibly exploitable))

Sun, 17 Nov 2013 10:51:43 -0800 

Your message dated Sun, 17 Nov 2013 18:48:50 +0000
with message-id <[email protected]>
and subject line Bug#723124: fixed in poppler 0.18.4-9
has caused the Debian Bug report #723124,
regarding /usr/bin/pdfseparate: pdfseparate segfault based on filenames 
(possibly exploitable)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
723124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723124
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: poppler-utils
Version: 0.22.5-2
Severity: normal
File: /usr/bin/pdfseparate

utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.

bool extractPages (const char *srcFileName, const char *destFileName) {
  char pathName[1024];
 /* ... */
   sprintf (pathName, destFileName, pageNo);

This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.

A) they could provide a srcFileName long enough to overflow pathName.
   this will write to arbitrary memory.

B) they could provide a destFileName with other sprintf placeholders
   besides %d, which would effectively be invoked while pointing to
   uninitialized memory.

easy segfault:

 pdfseparate multipage.pdf test-%s-%d.pdf

I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.

     --dkg

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages poppler-utils depends on:
ii  libc6         2.17-92+b1
ii  libcairo2     1.12.14-4
ii  libfreetype6  2.4.9-1.1
ii  liblcms2-2    2.2+git20110628-2.2
ii  libpoppler37  0.22.5-2
ii  libstdc++6    4.8.1-2
ii  zlib1g        1:1.2.8.dfsg-1

poppler-utils recommends no packages.

poppler-utils suggests no packages.

-- debconf-show failed

--- End Message ---
--- Begin Message --- 
Source: poppler
Source-Version: 0.18.4-9

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <[email protected]> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 17 Nov 2013 18:57:18 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 
libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev 
libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-9
Distribution: unstable
Urgency: medium
Maintainer: Loic Minier <[email protected]>
Changed-By: Pino Toscano <[email protected]>
Description: 
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib 
interface)
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 
interface)
 libpoppler19 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Closes: 723124 729064
Changes: 
 poppler (0.18.4-9) unstable; urgency=medium
 .
   * Remove the custom RPATH handing on Hurd, since the issue does not affect
     the build anymore; remove the hurd-only chrpath build dependency.
   * Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
     upstream_pdfseparate-improve-the-path-building.patch)
     and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
     upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
     issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
     (Closes: #723124,  #729064)
   * Bump Standards-Version to 3.9.5, no changes required.
Checksums-Sha1: 
 893d48969e59eaad60ca4673f6c9d01488e59851 2371 poppler_0.18.4-9.dsc
 36710fda504f7b86e8823348e305222cde021ad8 24755 poppler_0.18.4-9.debian.tar.gz
 0ad4e4bbcfa3029710d84c526f95987b3dba86bf 921834 libpoppler19_0.18.4-9_amd64.deb
 ce14fdeadcc630e2a62e4d0da1af20ddd7804119 616074 
libpoppler-dev_0.18.4-9_amd64.deb
 797008da14bfbe0c3527d513efef719131b9a8c7 147464 
libpoppler-private-dev_0.18.4-9_amd64.deb
 6c0c23cda9284de56fe7eef36330eaa0df364516 84328 
libpoppler-glib8_0.18.4-9_amd64.deb
 5d04546f4f09cc95b7ba4ea4214028afcc2c8c7e 162654 
libpoppler-glib-dev_0.18.4-9_amd64.deb
 1afe400e93046ea55f956fa43202177897ab5863 25592 
gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 cec0cf8ff33d59bf5e02ccdfd48d983960c374e5 108544 
libpoppler-qt4-3_0.18.4-9_amd64.deb
 fef27852c4afddcf5f72176993119eb129fcaa8f 131660 
libpoppler-qt4-dev_0.18.4-9_amd64.deb
 156ae2acf24a879512cca3c3d71b69b03838f503 41304 
libpoppler-cpp0_0.18.4-9_amd64.deb
 90e6727d1465939961e9696b1937765d810d4383 45638 
libpoppler-cpp-dev_0.18.4-9_amd64.deb
 2fbc3fba8567716dc2b2b5d29bacb660502bd8af 118550 
poppler-utils_0.18.4-9_amd64.deb
 9f7550069092de59a972544d1678c55ebe04bd45 4915830 poppler-dbg_0.18.4-9_amd64.deb
Checksums-Sha256: 
 e889950434f0587b88ec9a1b5c3a86cc7b4eff83fa19dd5260e704164a17a243 2371 
poppler_0.18.4-9.dsc
 6ef5c4b8797ce16379abee72c2f994ae992b9facf906f59611923d6d60f84181 24755 
poppler_0.18.4-9.debian.tar.gz
 1b133fc7f7789b6b68b4c7a82766460cb4f397dcb2a9bc9b9335b5a87160337a 921834 
libpoppler19_0.18.4-9_amd64.deb
 81fe230509e5db0e22e42db73c2397c98cd550fb6f14ac75771fb169e169f157 616074 
libpoppler-dev_0.18.4-9_amd64.deb
 adee80c572895f2787d0439cf6fe2ee7ccb236890c264ec950cc2885674acb83 147464 
libpoppler-private-dev_0.18.4-9_amd64.deb
 31e32d3c3f9e56b7c9e85cbcb0269260b9d54ac8180b3fe3397bb7453c22f906 84328 
libpoppler-glib8_0.18.4-9_amd64.deb
 52d89e349ee23484e1ea153e0797868fb7cfa1a3a3ffd4bb81ffd78a1a8be4a4 162654 
libpoppler-glib-dev_0.18.4-9_amd64.deb
 bad79f5b3cf267e260e0d6eb72d964976ae6e5874797128657378720be3b4331 25592 
gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 e66ff484709ddf2dc900a9a98708fdd4ee6816a47250ef1e59cba87d477f7f65 108544 
libpoppler-qt4-3_0.18.4-9_amd64.deb
 b63b7b7ed40046cdd0194743fd71629d6edd9007ea70dcb7b5c903bd055fa224 131660 
libpoppler-qt4-dev_0.18.4-9_amd64.deb
 b7045c43ea1da6812fc4bbb26a74a502c1fbd766fa3326f9f143211dc3fe0c2c 41304 
libpoppler-cpp0_0.18.4-9_amd64.deb
 4e8f0a5986d57681be15b82ddb7947f7c09c355ae6f51aef74d3f06849de21c7 45638 
libpoppler-cpp-dev_0.18.4-9_amd64.deb
 2fcda708330b5f27483afbf6c74cf21dd8b6d79e6dd90d85d0d03d40307dba88 118550 
poppler-utils_0.18.4-9_amd64.deb
 71ec69a2051c29bc948a4408061dd135ea6d58f95e8723cbad1a099bd585d811 4915830 
poppler-dbg_0.18.4-9_amd64.deb
Files: 
 df831174ad401c4f9e70d638bba9fa11 2371 devel optional poppler_0.18.4-9.dsc
 1893d142cc22abbb2a8b592fddaff9ea 24755 devel optional 
poppler_0.18.4-9.debian.tar.gz
 c33856037a30faaa063ee9b3f0f5e243 921834 libs optional 
libpoppler19_0.18.4-9_amd64.deb
 f645ec4a64c1535c422d1833c793f507 616074 libdevel optional 
libpoppler-dev_0.18.4-9_amd64.deb
 57adb4b398390476dc09b5b58952d6a7 147464 libdevel optional 
libpoppler-private-dev_0.18.4-9_amd64.deb
 bb7f7ec3996d5b3acb4d2ef2873f7943 84328 libs optional 
libpoppler-glib8_0.18.4-9_amd64.deb
 6c364b3708f9ced6100f3dac3673a4d5 162654 libdevel optional 
libpoppler-glib-dev_0.18.4-9_amd64.deb
 bdceedb13260c11a56f67ec221680741 25592 introspection optional 
gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 51315423380d160a354eab726843ef49 108544 libs optional 
libpoppler-qt4-3_0.18.4-9_amd64.deb
 bd454972e60ec09e44d5ea8655cf24da 131660 libdevel optional 
libpoppler-qt4-dev_0.18.4-9_amd64.deb
 fd9e1a302e1fa9562002dab4df2f24a9 41304 libs optional 
libpoppler-cpp0_0.18.4-9_amd64.deb
 62cee2d034e6d476dd61ed0e3e09c7dd 45638 libdevel optional 
libpoppler-cpp-dev_0.18.4-9_amd64.deb
 74f527a82b9d28bb694ce359b9ec9e4a 118550 utils optional 
poppler-utils_0.18.4-9_amd64.deb
 830a15a18a308e0512e3506191f197b1 4915830 debug extra 
poppler-dbg_0.18.4-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFSiQcHTNH2piB/L3oRAjEeAJ44dHeLXSOKq3VdLn4lWAJNQCnJYACdHU/W
BcVQnWK9Csp+v6nkCT9DIag=
=JXKx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to