Hi,
In data lunedì 16 settembre 2013 13:42:00, hai scritto:
> Package: poppler-utils
> Version: 0.22.5-2
> Severity: normal
> File: /usr/bin/pdfseparate
>
> utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
> data without cleaning or verifying it.
>
> bool extractPages (const char *srcFileName, const char *destFileName)
> { char pathName[1024];
> /* ... */
> sprintf (pathName, destFileName, pageNo);
>
> This means that an attacker able to control the arguments passed to
> pdfseparate, and who can make one of the arguments a multipage pdf,
> can probably smash the stack.
>
> A) they could provide a srcFileName long enough to overflow pathName.
> this will write to arbitrary memory.Incidentally, I looked at that code as result of your #723121, just to check whether the development version still had that lack; I spotted this issue too and just fixed it upstream in b8682d8 [1], which will be part of poppler 0.24.2. I could backport it to 0.22.x. [1] b8682d868ddf7f741e93b791588af0932893f95c > B) they could provide a destFileName with other sprintf placeholders > besides %d, which would effectively be invoked while pointing to > uninitialized memory. > > easy segfault: > > pdfseparate multipage.pdf test-%s-%d.pdf Would it be possible to report this upstream? https://bugs.freedesktop.org, product "poppler" and component "utils". Thanks for your reports, -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.
