Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to dkg@fifthhorseman.net, Loic Minier <lool@dooz.org>.
(Mon, 16 Sep 2013 17:45:06 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/pdfseparate: pdfseparate segfault based on filenames (possibly
exploitable)
Date: Mon, 16 Sep 2013 13:42:00 -0400
Package: poppler-utils
Version: 0.22.5-2
Severity: normal
File: /usr/bin/pdfseparate
utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.
bool extractPages (const char *srcFileName, const char *destFileName) {
char pathName[1024];
/* ... */
sprintf (pathName, destFileName, pageNo);
This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.
A) they could provide a srcFileName long enough to overflow pathName.
this will write to arbitrary memory.
B) they could provide a destFileName with other sprintf placeholders
besides %d, which would effectively be invoked while pointing to
uninitialized memory.
easy segfault:
pdfseparate multipage.pdf test-%s-%d.pdf
I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages poppler-utils depends on:
ii libc6 2.17-92+b1
ii libcairo2 1.12.14-4
ii libfreetype6 2.4.9-1.1
ii liblcms2-2 2.2+git20110628-2.2
ii libpoppler37 0.22.5-2
ii libstdc++6 4.8.1-2
ii zlib1g 1:1.2.8.dfsg-1
poppler-utils recommends no packages.
poppler-utils suggests no packages.
-- debconf-show failed
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>: Bug#723124; Package poppler-utils.
(Mon, 16 Sep 2013 18:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to 723124@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(Mon, 16 Sep 2013 18:03:12 GMT) (full text, mbox, link).
Hi,
In data lunedì 16 settembre 2013 13:42:00, hai scritto:
> Package: poppler-utils
> Version: 0.22.5-2
> Severity: normal
> File: /usr/bin/pdfseparate
>
> utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
> data without cleaning or verifying it.
>
> bool extractPages (const char *srcFileName, const char *destFileName)
> { char pathName[1024];
> /* ... */
> sprintf (pathName, destFileName, pageNo);
>
> This means that an attacker able to control the arguments passed to
> pdfseparate, and who can make one of the arguments a multipage pdf,
> can probably smash the stack.
>
> A) they could provide a srcFileName long enough to overflow pathName.
> this will write to arbitrary memory.
Incidentally, I looked at that code as result of your #723121, just to
check whether the development version still had that lack; I spotted
this issue too and just fixed it upstream in b8682d8 [1], which will be
part of poppler 0.24.2.
I could backport it to 0.22.x.
[1] b8682d868ddf7f741e93b791588af0932893f95c
> B) they could provide a destFileName with other sprintf placeholders
> besides %d, which would effectively be invoked while pointing to
> uninitialized memory.
>
> easy segfault:
>
> pdfseparate multipage.pdf test-%s-%d.pdf
Would it be possible to report this upstream?
https://bugs.freedesktop.org, product "poppler" and component "utils".
Thanks for your reports,
--
Pino Toscano
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 24 Oct 2013 18:33:17 GMT) (full text, mbox, link).
Marked as found in versions poppler/0.18.4-6.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org.
(Sun, 17 Nov 2013 17:39:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org.
(Sun, 17 Nov 2013 17:51:05 GMT) (full text, mbox, link).
Reply sent
to Pino Toscano <pino@debian.org>:
You have taken responsibility.
(Sun, 17 Nov 2013 18:51:10 GMT) (full text, mbox, link).
Notification sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer.
(Sun, 17 Nov 2013 18:51:10 GMT) (full text, mbox, link).
Source: poppler
Source-Version: 0.18.4-9
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 723124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 17 Nov 2013 18:57:18 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-9
Distribution: unstable
Urgency: medium
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Pino Toscano <pino@debian.org>
Description:
gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
libpoppler-cpp0 - PDF rendering library (CPP shared library)
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
libpoppler-glib8 - PDF rendering library (GLib-based shared library)
libpoppler-private-dev - PDF rendering library -- private development files
libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
libpoppler19 - PDF rendering library
poppler-dbg - PDF rendering library -- debugging symbols
poppler-utils - PDF utilities (based on Poppler)
Closes: 723124729064
Changes:
poppler (0.18.4-9) unstable; urgency=medium
.
* Remove the custom RPATH handing on Hurd, since the issue does not affect
the build anymore; remove the hurd-only chrpath build dependency.
* Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
upstream_pdfseparate-improve-the-path-building.patch)
and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
(Closes: #723124, #729064)
* Bump Standards-Version to 3.9.5, no changes required.
Checksums-Sha1:
893d48969e59eaad60ca4673f6c9d01488e59851 2371 poppler_0.18.4-9.dsc
36710fda504f7b86e8823348e305222cde021ad8 24755 poppler_0.18.4-9.debian.tar.gz
0ad4e4bbcfa3029710d84c526f95987b3dba86bf 921834 libpoppler19_0.18.4-9_amd64.deb
ce14fdeadcc630e2a62e4d0da1af20ddd7804119 616074 libpoppler-dev_0.18.4-9_amd64.deb
797008da14bfbe0c3527d513efef719131b9a8c7 147464 libpoppler-private-dev_0.18.4-9_amd64.deb
6c0c23cda9284de56fe7eef36330eaa0df364516 84328 libpoppler-glib8_0.18.4-9_amd64.deb
5d04546f4f09cc95b7ba4ea4214028afcc2c8c7e 162654 libpoppler-glib-dev_0.18.4-9_amd64.deb
1afe400e93046ea55f956fa43202177897ab5863 25592 gir1.2-poppler-0.18_0.18.4-9_amd64.deb
cec0cf8ff33d59bf5e02ccdfd48d983960c374e5 108544 libpoppler-qt4-3_0.18.4-9_amd64.deb
fef27852c4afddcf5f72176993119eb129fcaa8f 131660 libpoppler-qt4-dev_0.18.4-9_amd64.deb
156ae2acf24a879512cca3c3d71b69b03838f503 41304 libpoppler-cpp0_0.18.4-9_amd64.deb
90e6727d1465939961e9696b1937765d810d4383 45638 libpoppler-cpp-dev_0.18.4-9_amd64.deb
2fbc3fba8567716dc2b2b5d29bacb660502bd8af 118550 poppler-utils_0.18.4-9_amd64.deb
9f7550069092de59a972544d1678c55ebe04bd45 4915830 poppler-dbg_0.18.4-9_amd64.deb
Checksums-Sha256:
e889950434f0587b88ec9a1b5c3a86cc7b4eff83fa19dd5260e704164a17a243 2371 poppler_0.18.4-9.dsc
6ef5c4b8797ce16379abee72c2f994ae992b9facf906f59611923d6d60f84181 24755 poppler_0.18.4-9.debian.tar.gz
1b133fc7f7789b6b68b4c7a82766460cb4f397dcb2a9bc9b9335b5a87160337a 921834 libpoppler19_0.18.4-9_amd64.deb
81fe230509e5db0e22e42db73c2397c98cd550fb6f14ac75771fb169e169f157 616074 libpoppler-dev_0.18.4-9_amd64.deb
adee80c572895f2787d0439cf6fe2ee7ccb236890c264ec950cc2885674acb83 147464 libpoppler-private-dev_0.18.4-9_amd64.deb
31e32d3c3f9e56b7c9e85cbcb0269260b9d54ac8180b3fe3397bb7453c22f906 84328 libpoppler-glib8_0.18.4-9_amd64.deb
52d89e349ee23484e1ea153e0797868fb7cfa1a3a3ffd4bb81ffd78a1a8be4a4 162654 libpoppler-glib-dev_0.18.4-9_amd64.deb
bad79f5b3cf267e260e0d6eb72d964976ae6e5874797128657378720be3b4331 25592 gir1.2-poppler-0.18_0.18.4-9_amd64.deb
e66ff484709ddf2dc900a9a98708fdd4ee6816a47250ef1e59cba87d477f7f65 108544 libpoppler-qt4-3_0.18.4-9_amd64.deb
b63b7b7ed40046cdd0194743fd71629d6edd9007ea70dcb7b5c903bd055fa224 131660 libpoppler-qt4-dev_0.18.4-9_amd64.deb
b7045c43ea1da6812fc4bbb26a74a502c1fbd766fa3326f9f143211dc3fe0c2c 41304 libpoppler-cpp0_0.18.4-9_amd64.deb
4e8f0a5986d57681be15b82ddb7947f7c09c355ae6f51aef74d3f06849de21c7 45638 libpoppler-cpp-dev_0.18.4-9_amd64.deb
2fcda708330b5f27483afbf6c74cf21dd8b6d79e6dd90d85d0d03d40307dba88 118550 poppler-utils_0.18.4-9_amd64.deb
71ec69a2051c29bc948a4408061dd135ea6d58f95e8723cbad1a099bd585d811 4915830 poppler-dbg_0.18.4-9_amd64.deb
Files:
df831174ad401c4f9e70d638bba9fa11 2371 devel optional poppler_0.18.4-9.dsc
1893d142cc22abbb2a8b592fddaff9ea 24755 devel optional poppler_0.18.4-9.debian.tar.gz
c33856037a30faaa063ee9b3f0f5e243 921834 libs optional libpoppler19_0.18.4-9_amd64.deb
f645ec4a64c1535c422d1833c793f507 616074 libdevel optional libpoppler-dev_0.18.4-9_amd64.deb
57adb4b398390476dc09b5b58952d6a7 147464 libdevel optional libpoppler-private-dev_0.18.4-9_amd64.deb
bb7f7ec3996d5b3acb4d2ef2873f7943 84328 libs optional libpoppler-glib8_0.18.4-9_amd64.deb
6c364b3708f9ced6100f3dac3673a4d5 162654 libdevel optional libpoppler-glib-dev_0.18.4-9_amd64.deb
bdceedb13260c11a56f67ec221680741 25592 introspection optional gir1.2-poppler-0.18_0.18.4-9_amd64.deb
51315423380d160a354eab726843ef49 108544 libs optional libpoppler-qt4-3_0.18.4-9_amd64.deb
bd454972e60ec09e44d5ea8655cf24da 131660 libdevel optional libpoppler-qt4-dev_0.18.4-9_amd64.deb
fd9e1a302e1fa9562002dab4df2f24a9 41304 libs optional libpoppler-cpp0_0.18.4-9_amd64.deb
62cee2d034e6d476dd61ed0e3e09c7dd 45638 libdevel optional libpoppler-cpp-dev_0.18.4-9_amd64.deb
74f527a82b9d28bb694ce359b9ec9e4a 118550 utils optional poppler-utils_0.18.4-9_amd64.deb
830a15a18a308e0512e3506191f197b1 4915830 debug extra poppler-dbg_0.18.4-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iD8DBQFSiQcHTNH2piB/L3oRAjEeAJ44dHeLXSOKq3VdLn4lWAJNQCnJYACdHU/W
BcVQnWK9Csp+v6nkCT9DIag=
=JXKx
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org.
(Sat, 23 Nov 2013 22:54:15 GMT) (full text, mbox, link).
Message sent on
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#723124.
(Sat, 23 Nov 2013 22:54:32 GMT) (full text, mbox, link).
tag 723124 pending
thanks
Hello,
Bug #723124 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-freedesktop/poppler.git;a=commitdiff;h=03dc7c0
---
commit 03dc7c0c4ab7d792eecbd94234e1b46f2fbcf6c9
Author: Pino Toscano <pino@debian.org>
Date: Sun Nov 17 18:52:09 2013 +0100
fix CVE-2013-4473 and CVE-2013-4474 (#723124, #729064)
backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c and
61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 to fix two string/format issues
in pdfseparate
diff --git a/debian/changelog b/debian/changelog
index e23886b..bbb41f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,12 @@ poppler (0.18.4-9) UNRELEASED; urgency=low
* Remove the custom RPATH handing on Hurd, since the issue does not affect
the build anymore; remove the hurd-only chrpath build dependency.
+ * Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
+ upstream_pdfseparate-improve-the-path-building.patch)
+ and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
+ upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
+ issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
+ (Closes: #723124, #729064)
-- Pino Toscano <pino@debian.org> Sun, 17 Nov 2013 18:26:58 +0100
Removed tag(s) pending.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org.
(Sat, 23 Nov 2013 23:06:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Jan 2014 07:27:26 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.