control: tag -1 patch
control: tag -1 pending
On Fri, Nov 8, 2013 at 8:32 AM, Moritz Muehlenhoff wrote:
Two security issues were found in the pdfseparate tool shipped by
poppler-utils:
Hi, I've uploaded an nmu fixing these two issue to delayed/5. Please
see attached patch.
Best wishes,
Mike
diff -Nru poppler-0.18.4/debian/changelog poppler-0.18.4/debian/changelog
--- poppler-0.18.4/debian/changelog 2013-08-20 13:12:45.0 -0400
+++ poppler-0.18.4/debian/changelog 2013-11-10 16:13:27.0 -0500
@@ -1,3 +1,11 @@
+poppler (0.18.4-8+nmu1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix cve-2013-4473 and cve-2013-4474: buffer overflow and format string
+issues in the pdfseparate tool (closes: 729064).
+
+ -- Michael Gilbert mgilb...@debian.org Sun, 10 Nov 2013 20:42:23 +
+
poppler (0.18.4-8) unstable; urgency=low
* Remove the .la files from debian/tmp, to shorten the --list-missing output.
diff -Nru poppler-0.18.4/debian/patches/cve-2013-4473.patch poppler-0.18.4/debian/patches/cve-2013-4473.patch
--- poppler-0.18.4/debian/patches/cve-2013-4473.patch 1969-12-31 19:00:00.0 -0500
+++ poppler-0.18.4/debian/patches/cve-2013-4473.patch 2013-11-10 16:13:33.0 -0500
@@ -0,0 +1,24 @@
+description: buffer overflow in pdfseparate tool
+origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4473
+Index: poppler-0.18.4/utils/pdfseparate.cc
+===
+--- poppler-0.18.4.orig/utils/pdfseparate.cc 2013-11-10 21:08:46.366640853 +
poppler-0.18.4/utils/pdfseparate.cc 2013-11-10 21:08:46.366640853 +
+@@ -43,7 +43,7 @@
+ };
+
+ bool extractPages (const char *srcFileName, const char *destFileName) {
+- char pathName[1024];
++ char pathName[4096];
+ GooString *gfileName = new GooString (srcFileName);
+ PDFDoc *doc = new PDFDoc (gfileName, NULL, NULL, NULL);
+
+@@ -69,7 +69,7 @@
+ return false;
+ }
+ for (int pageNo = firstPage; pageNo = lastPage; pageNo++) {
+-sprintf (pathName, destFileName, pageNo);
++snprintf (pathName, sizeof (pathName) - 1, destFileName, pageNo);
+ GooString *gpageName = new GooString (pathName);
+ int errCode = doc-savePageAs(gpageName, pageNo);
+ if ( errCode != errNone) {
diff -Nru poppler-0.18.4/debian/patches/cve-2013-4474.patch poppler-0.18.4/debian/patches/cve-2013-4474.patch
--- poppler-0.18.4/debian/patches/cve-2013-4474.patch 1969-12-31 19:00:00.0 -0500
+++ poppler-0.18.4/debian/patches/cve-2013-4474.patch 2013-11-10 16:14:12.0 -0500
@@ -0,0 +1,53 @@
+description: format string issue
+origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4474
+Index: poppler-0.18.4/utils/pdfseparate.cc
+===
+--- poppler-0.18.4.orig/utils/pdfseparate.cc 2013-11-10 21:13:42.114643334 +
poppler-0.18.4/utils/pdfseparate.cc 2013-11-10 21:14:08.754643558 +
+@@ -18,6 +18,7 @@
+ #include PDFDoc.h
+ #include ErrorCodes.h
+ #include GlobalParams.h
++#include ctype.h
+
+ static int firstPage = 0;
+ static int lastPage = 0;
+@@ -65,9 +66,37 @@
+ if (firstPage == 0)
+ firstPage = 1;
+ if (firstPage != lastPage strstr(destFileName, %d) == NULL) {
+-error(-1, '%s' must contain '%%d' if more than one page should be extracted, destFileName);
++error(-1, '%s' must contain '%d' if more than one page should be extracted, destFileName);
+ return false;
+ }
++
++ // destFileName can have multiple %% and one %d
++ // We use auxDestFileName to replace all the valid % appearances
++ // by 'A' (random char that is not %), if at the end of replacing
++ // any of the valid appearances there is still any % around, the
++ // pattern is wrong
++ char *auxDestFileName = strdup(destFileName);
++ // %% can appear as many times as you want
++ char *p = strstr(auxDestFileName, %%);
++ while (p != NULL) {
++*p = 'A';
++*(p + 1) = 'A';
++p = strstr(p, %%);
++ }
++ // %d can appear only one time
++ p = strstr(auxDestFileName, %d);
++ if (p != NULL) {
++*p = 'A';
++ }
++ // at this point any other % is wrong
++ p = strstr(auxDestFileName, %);
++ if (p != NULL) {
++error(-1, '%s' can only contain one '%d' pattern, destFileName);
++free(auxDestFileName);
++return false;
++ }
++ free(auxDestFileName);
++
+ for (int pageNo = firstPage; pageNo = lastPage; pageNo++) {
+ snprintf (pathName, sizeof (pathName) - 1, destFileName, pageNo);
+ GooString *gpageName = new GooString (pathName);
diff -Nru poppler-0.18.4/debian/patches/series poppler-0.18.4/debian/patches/series
--- poppler-0.18.4/debian/patches/series 2013-08-20 09:53:24.0 -0400
+++ poppler-0.18.4/debian/patches/series 2013-11-10 16:13:39.0 -0500
@@ -10,3 +10,5 @@
upstream_Initialize-refLine-totally.patch
CVE-2012-2142.diff
upstream_pdfseparate.1-Syntax-fixes.patch
+cve-2013-4473.patch
+cve-2013-4474.patch