[
https://issues.apache.org/jira/browse/PDFBOX-6045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tilman Hausherr updated PDFBOX-6045:
------------------------------------
Description:
This issue is being *manually* filed by the competition organizers. We
recognize there is a number of AI generated submissions as of late. We have
gone through the manual process of bug/patch validation to prevent unnecessary
"noise", respecting maintainers' time.
This submission is being sent as part of DARPA's AIxCC competition.
(https://aicyberchallenge.com) This issue was discovered and validated by
competition engineers during challenge development. The patch was manually
constructed by the competition engineers.
We found via fuzzing that our console would occasionally get corrupted. This is
caused from not filtering user-generated data during logging (and our choice to
log to the console).
In the first screenshot, you can see the point when the corruption happens. In
the second, you can see the overall outcome.
!image1.png!
!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/1bdf3cc5-031b-465e-bcdd-8bb574ddd4c3/afdd8be8-d6b5-4a5d-bb42-86644b5a387a|width=720,height=77!!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/48b4d8c4-7072-49dd-af1c-b9f8d9ff6755/f4a75aaa-bcb1-4ad2-ab0b-1586863731c1|width=2009,height=664!
We think the fix is to prevent {{\u001b}} from being written to logs. There may
be other solutions.
The above shows corruption via the font or maybe encoding, but it would be
possible to do other things that could be problematic for users logging to the
console — like turning the text invisible or other things.
Some relevant links:
* [https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797]
* [https://www.youtube.com/watch?v=3T2Al3jdY38]
(AIxCC Internal: CHA-1733)
was:
This issue is being *manually* filed by the competition organizers. We
recognize there is a number of AI generated submissions as of late. We have
gone through the manual process of bug/patch validation to prevent unnecessary
"noise", respecting maintainers' time.
This submission is being sent as part of DARPA's AIxCC competition.
(https://aicyberchallenge.com) This issue was discovered and validated by
competition engineers during challenge development. The patch was manually
constructed by the competition engineers.
We found via fuzzing that our console would occasionally get corrupted. This is
caused from not filtering user-generated data during logging (and our choice to
log to the console).
In the first screenshot, you can see the point when the corruption happens. In
the second, you can see the overall outcome.
!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/1bdf3cc5-031b-465e-bcdd-8bb574ddd4c3/afdd8be8-d6b5-4a5d-bb42-86644b5a387a|width=720,height=77!!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/48b4d8c4-7072-49dd-af1c-b9f8d9ff6755/f4a75aaa-bcb1-4ad2-ab0b-1586863731c1|width=2009,height=664!
We think the fix is to prevent {{\u001b}} from being written to logs. There may
be other solutions.
The above shows corruption via the font or maybe encoding, but it would be
possible to do other things that could be problematic for users logging to the
console — like turning the text invisible or other things.
Some relevant links:
* [https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797]
* [https://www.youtube.com/watch?v=3T2Al3jdY38]
(AIxCC Internal: CHA-1733)
> Potential Console Corruption
> ----------------------------
>
> Key: PDFBOX-6045
> URL: https://issues.apache.org/jira/browse/PDFBOX-6045
> Project: PDFBox
> Issue Type: Bug
> Affects Versions: 4.0.0
> Reporter: David Justamante
> Priority: Minor
> Attachments: image1.png, image2.png
>
>
> This issue is being *manually* filed by the competition organizers. We
> recognize there is a number of AI generated submissions as of late. We have
> gone through the manual process of bug/patch validation to prevent
> unnecessary "noise", respecting maintainers' time.
> This submission is being sent as part of DARPA's AIxCC competition.
> (https://aicyberchallenge.com) This issue was discovered and validated by
> competition engineers during challenge development. The patch was manually
> constructed by the competition engineers.
> We found via fuzzing that our console would occasionally get corrupted. This
> is caused from not filtering user-generated data during logging (and our
> choice to log to the console).
> In the first screenshot, you can see the point when the corruption happens.
> In the second, you can see the overall outcome.
> !image1.png!
> !https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/1bdf3cc5-031b-465e-bcdd-8bb574ddd4c3/afdd8be8-d6b5-4a5d-bb42-86644b5a387a|width=720,height=77!!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/48b4d8c4-7072-49dd-af1c-b9f8d9ff6755/f4a75aaa-bcb1-4ad2-ab0b-1586863731c1|width=2009,height=664!
> We think the fix is to prevent {{\u001b}} from being written to logs. There
> may be other solutions.
> The above shows corruption via the font or maybe encoding, but it would be
> possible to do other things that could be problematic for users logging to
> the console — like turning the text invisible or other things.
> Some relevant links:
> * [https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797]
> * [https://www.youtube.com/watch?v=3T2Al3jdY38]
>
> (AIxCC Internal: CHA-1733)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
