Hi, In data lunedì 16 settembre 2013 13:42:00, hai scritto: > Package: poppler-utils > Version: 0.22.5-2 > Severity: normal > File: /usr/bin/pdfseparate > > utils/pdfseparate.cc appears to invoke sprintf directly on user-passed > data without cleaning or verifying it. > > bool extractPages (const char *srcFileName, const char *destFileName) > { char pathName[1024]; > /* ... */ > sprintf (pathName, destFileName, pageNo); > > This means that an attacker able to control the arguments passed to > pdfseparate, and who can make one of the arguments a multipage pdf, > can probably smash the stack. > > A) they could provide a srcFileName long enough to overflow pathName. > this will write to arbitrary memory.
Incidentally, I looked at that code as result of your #723121, just to check whether the development version still had that lack; I spotted this issue too and just fixed it upstream in b8682d8 [1], which will be part of poppler 0.24.2. I could backport it to 0.22.x. [1] b8682d868ddf7f741e93b791588af0932893f95c > B) they could provide a destFileName with other sprintf placeholders > besides %d, which would effectively be invoked while pointing to > uninitialized memory. > > easy segfault: > > pdfseparate multipage.pdf test-%s-%d.pdf Would it be possible to report this upstream? https://bugs.freedesktop.org, product "poppler" and component "utils". Thanks for your reports, -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.