Package: poppler-utils
Version: 0.22.5-2
Severity: normal
File: /usr/bin/pdfseparate
utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.
bool extractPages (const char *srcFileName, const char *destFileName) {
char pathName[1024];
/* ... */
sprintf (pathName, destFileName, pageNo);
This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.
A) they could provide a srcFileName long enough to overflow pathName.
this will write to arbitrary memory.
B) they could provide a destFileName with other sprintf placeholders
besides %d, which would effectively be invoked while pointing to
uninitialized memory.
easy segfault:
pdfseparate multipage.pdf test-%s-%d.pdf
I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages poppler-utils depends on:
ii libc6 2.17-92+b1
ii libcairo2 1.12.14-4
ii libfreetype6 2.4.9-1.1
ii liblcms2-2 2.2+git20110628-2.2
ii libpoppler37 0.22.5-2
ii libstdc++6 4.8.1-2
ii zlib1g 1:1.2.8.dfsg-1
poppler-utils recommends no packages.
poppler-utils suggests no packages.
-- debconf-show failed
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
