Debian Bug report logs - #723124
/usr/bin/pdfseparate: pdfseparate segfault based on filenames (possibly exploitable)

version graph

Package: poppler-utils; Maintainer for poppler-utils is Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>; Source for poppler-utils is src:poppler (PTS, buildd, popcon).

Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Date: Mon, 16 Sep 2013 17:45:02 UTC

Severity: normal

Tags: fixed-upstream

Found in versions poppler/0.22.5-2, poppler/0.18.4-6

Fixed in version poppler/0.18.4-9

Done: Pino Toscano <pino@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.freedesktop.org/show_bug.cgi?id=69434

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, dkg@fifthhorseman.net, Loic Minier <lool@dooz.org>:
Bug#723124; Package poppler-utils. (Mon, 16 Sep 2013 17:45:06 GMT) (full text, mbox, link).


Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to dkg@fifthhorseman.net, Loic Minier <lool@dooz.org>. (Mon, 16 Sep 2013 17:45:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/pdfseparate: pdfseparate segfault based on filenames (possibly exploitable)
Date: Mon, 16 Sep 2013 13:42:00 -0400
Package: poppler-utils
Version: 0.22.5-2
Severity: normal
File: /usr/bin/pdfseparate

utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.

bool extractPages (const char *srcFileName, const char *destFileName) {
  char pathName[1024];
 /* ... */
   sprintf (pathName, destFileName, pageNo);

This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.

A) they could provide a srcFileName long enough to overflow pathName.
   this will write to arbitrary memory.

B) they could provide a destFileName with other sprintf placeholders
   besides %d, which would effectively be invoked while pointing to
   uninitialized memory.

easy segfault:

 pdfseparate multipage.pdf test-%s-%d.pdf

I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.

     --dkg

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages poppler-utils depends on:
ii  libc6         2.17-92+b1
ii  libcairo2     1.12.14-4
ii  libfreetype6  2.4.9-1.1
ii  liblcms2-2    2.2+git20110628-2.2
ii  libpoppler37  0.22.5-2
ii  libstdc++6    4.8.1-2
ii  zlib1g        1:1.2.8.dfsg-1

poppler-utils recommends no packages.

poppler-utils suggests no packages.

-- debconf-show failed



Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#723124; Package poppler-utils. (Mon, 16 Sep 2013 18:03:12 GMT) (full text, mbox, link).


Acknowledgement sent to 723124@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>. (Mon, 16 Sep 2013 18:03:12 GMT) (full text, mbox, link).


Message #10 received at 723124@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 723124@bugs.debian.org
Subject: Re: Bug#723124: /usr/bin/pdfseparate: pdfseparate segfault based on filenames (possibly exploitable)
Date: Mon, 16 Sep 2013 20:00:25 +0200
[Message part 1 (text/plain, inline)]
Hi,

In data lunedì 16 settembre 2013 13:42:00, hai scritto:
> Package: poppler-utils
> Version: 0.22.5-2
> Severity: normal
> File: /usr/bin/pdfseparate
> 
> utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
> data without cleaning or verifying it.
> 
> bool extractPages (const char *srcFileName, const char *destFileName)
> { char pathName[1024];
>  /* ... */
>    sprintf (pathName, destFileName, pageNo);
> 
> This means that an attacker able to control the arguments passed to
> pdfseparate, and who can make one of the arguments a multipage pdf,
> can probably smash the stack.
> 
> A) they could provide a srcFileName long enough to overflow pathName.
>    this will write to arbitrary memory.

Incidentally, I looked at that code as result of your #723121, just to 
check whether the development version still had that lack; I spotted 
this issue too and just fixed it upstream in b8682d8 [1], which will be 
part of poppler 0.24.2.
I could backport it to 0.22.x.

[1] b8682d868ddf7f741e93b791588af0932893f95c

> B) they could provide a destFileName with other sprintf placeholders
>    besides %d, which would effectively be invoked while pointing to
>    uninitialized memory.
> 
> easy segfault:
> 
>  pdfseparate multipage.pdf test-%s-%d.pdf

Would it be possible to report this upstream?
https://bugs.freedesktop.org, product "poppler" and component "utils".

Thanks for your reports,
-- 
Pino Toscano
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://bugs.freedesktop.org/show_bug.cgi?id=69434'. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Mon, 16 Sep 2013 18:30:07 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 24 Oct 2013 18:33:17 GMT) (full text, mbox, link).


Marked as found in versions poppler/0.18.4-6. Request was from Pino Toscano <pino@debian.org> to control@bugs.debian.org. (Sun, 17 Nov 2013 17:39:08 GMT) (full text, mbox, link).


Added tag(s) pending. Request was from Pino Toscano <pino@debian.org> to control@bugs.debian.org. (Sun, 17 Nov 2013 17:51:05 GMT) (full text, mbox, link).


Reply sent to Pino Toscano <pino@debian.org>:
You have taken responsibility. (Sun, 17 Nov 2013 18:51:10 GMT) (full text, mbox, link).


Notification sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer. (Sun, 17 Nov 2013 18:51:10 GMT) (full text, mbox, link).


Message #23 received at 723124-close@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>
To: 723124-close@bugs.debian.org
Subject: Bug#723124: fixed in poppler 0.18.4-9
Date: Sun, 17 Nov 2013 18:48:50 +0000
Source: poppler
Source-Version: 0.18.4-9

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 17 Nov 2013 18:57:18 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-9
Distribution: unstable
Urgency: medium
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Pino Toscano <pino@debian.org>
Description: 
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
 libpoppler19 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Closes: 723124 729064
Changes: 
 poppler (0.18.4-9) unstable; urgency=medium
 .
   * Remove the custom RPATH handing on Hurd, since the issue does not affect
     the build anymore; remove the hurd-only chrpath build dependency.
   * Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
     upstream_pdfseparate-improve-the-path-building.patch)
     and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
     upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
     issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
     (Closes: #723124,  #729064)
   * Bump Standards-Version to 3.9.5, no changes required.
Checksums-Sha1: 
 893d48969e59eaad60ca4673f6c9d01488e59851 2371 poppler_0.18.4-9.dsc
 36710fda504f7b86e8823348e305222cde021ad8 24755 poppler_0.18.4-9.debian.tar.gz
 0ad4e4bbcfa3029710d84c526f95987b3dba86bf 921834 libpoppler19_0.18.4-9_amd64.deb
 ce14fdeadcc630e2a62e4d0da1af20ddd7804119 616074 libpoppler-dev_0.18.4-9_amd64.deb
 797008da14bfbe0c3527d513efef719131b9a8c7 147464 libpoppler-private-dev_0.18.4-9_amd64.deb
 6c0c23cda9284de56fe7eef36330eaa0df364516 84328 libpoppler-glib8_0.18.4-9_amd64.deb
 5d04546f4f09cc95b7ba4ea4214028afcc2c8c7e 162654 libpoppler-glib-dev_0.18.4-9_amd64.deb
 1afe400e93046ea55f956fa43202177897ab5863 25592 gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 cec0cf8ff33d59bf5e02ccdfd48d983960c374e5 108544 libpoppler-qt4-3_0.18.4-9_amd64.deb
 fef27852c4afddcf5f72176993119eb129fcaa8f 131660 libpoppler-qt4-dev_0.18.4-9_amd64.deb
 156ae2acf24a879512cca3c3d71b69b03838f503 41304 libpoppler-cpp0_0.18.4-9_amd64.deb
 90e6727d1465939961e9696b1937765d810d4383 45638 libpoppler-cpp-dev_0.18.4-9_amd64.deb
 2fbc3fba8567716dc2b2b5d29bacb660502bd8af 118550 poppler-utils_0.18.4-9_amd64.deb
 9f7550069092de59a972544d1678c55ebe04bd45 4915830 poppler-dbg_0.18.4-9_amd64.deb
Checksums-Sha256: 
 e889950434f0587b88ec9a1b5c3a86cc7b4eff83fa19dd5260e704164a17a243 2371 poppler_0.18.4-9.dsc
 6ef5c4b8797ce16379abee72c2f994ae992b9facf906f59611923d6d60f84181 24755 poppler_0.18.4-9.debian.tar.gz
 1b133fc7f7789b6b68b4c7a82766460cb4f397dcb2a9bc9b9335b5a87160337a 921834 libpoppler19_0.18.4-9_amd64.deb
 81fe230509e5db0e22e42db73c2397c98cd550fb6f14ac75771fb169e169f157 616074 libpoppler-dev_0.18.4-9_amd64.deb
 adee80c572895f2787d0439cf6fe2ee7ccb236890c264ec950cc2885674acb83 147464 libpoppler-private-dev_0.18.4-9_amd64.deb
 31e32d3c3f9e56b7c9e85cbcb0269260b9d54ac8180b3fe3397bb7453c22f906 84328 libpoppler-glib8_0.18.4-9_amd64.deb
 52d89e349ee23484e1ea153e0797868fb7cfa1a3a3ffd4bb81ffd78a1a8be4a4 162654 libpoppler-glib-dev_0.18.4-9_amd64.deb
 bad79f5b3cf267e260e0d6eb72d964976ae6e5874797128657378720be3b4331 25592 gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 e66ff484709ddf2dc900a9a98708fdd4ee6816a47250ef1e59cba87d477f7f65 108544 libpoppler-qt4-3_0.18.4-9_amd64.deb
 b63b7b7ed40046cdd0194743fd71629d6edd9007ea70dcb7b5c903bd055fa224 131660 libpoppler-qt4-dev_0.18.4-9_amd64.deb
 b7045c43ea1da6812fc4bbb26a74a502c1fbd766fa3326f9f143211dc3fe0c2c 41304 libpoppler-cpp0_0.18.4-9_amd64.deb
 4e8f0a5986d57681be15b82ddb7947f7c09c355ae6f51aef74d3f06849de21c7 45638 libpoppler-cpp-dev_0.18.4-9_amd64.deb
 2fcda708330b5f27483afbf6c74cf21dd8b6d79e6dd90d85d0d03d40307dba88 118550 poppler-utils_0.18.4-9_amd64.deb
 71ec69a2051c29bc948a4408061dd135ea6d58f95e8723cbad1a099bd585d811 4915830 poppler-dbg_0.18.4-9_amd64.deb
Files: 
 df831174ad401c4f9e70d638bba9fa11 2371 devel optional poppler_0.18.4-9.dsc
 1893d142cc22abbb2a8b592fddaff9ea 24755 devel optional poppler_0.18.4-9.debian.tar.gz
 c33856037a30faaa063ee9b3f0f5e243 921834 libs optional libpoppler19_0.18.4-9_amd64.deb
 f645ec4a64c1535c422d1833c793f507 616074 libdevel optional libpoppler-dev_0.18.4-9_amd64.deb
 57adb4b398390476dc09b5b58952d6a7 147464 libdevel optional libpoppler-private-dev_0.18.4-9_amd64.deb
 bb7f7ec3996d5b3acb4d2ef2873f7943 84328 libs optional libpoppler-glib8_0.18.4-9_amd64.deb
 6c364b3708f9ced6100f3dac3673a4d5 162654 libdevel optional libpoppler-glib-dev_0.18.4-9_amd64.deb
 bdceedb13260c11a56f67ec221680741 25592 introspection optional gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 51315423380d160a354eab726843ef49 108544 libs optional libpoppler-qt4-3_0.18.4-9_amd64.deb
 bd454972e60ec09e44d5ea8655cf24da 131660 libdevel optional libpoppler-qt4-dev_0.18.4-9_amd64.deb
 fd9e1a302e1fa9562002dab4df2f24a9 41304 libs optional libpoppler-cpp0_0.18.4-9_amd64.deb
 62cee2d034e6d476dd61ed0e3e09c7dd 45638 libdevel optional libpoppler-cpp-dev_0.18.4-9_amd64.deb
 74f527a82b9d28bb694ce359b9ec9e4a 118550 utils optional poppler-utils_0.18.4-9_amd64.deb
 830a15a18a308e0512e3506191f197b1 4915830 debug extra poppler-dbg_0.18.4-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFSiQcHTNH2piB/L3oRAjEeAJ44dHeLXSOKq3VdLn4lWAJNQCnJYACdHU/W
BcVQnWK9Csp+v6nkCT9DIag=
=JXKx
-----END PGP SIGNATURE-----




Added tag(s) pending. Request was from Pino Toscano <pino@debian.org> to control@bugs.debian.org. (Sat, 23 Nov 2013 22:54:15 GMT) (full text, mbox, link).


Message sent on to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#723124. (Sat, 23 Nov 2013 22:54:32 GMT) (full text, mbox, link).


Message #28 received at 723124-submitter@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>
To: 723124-submitter@bugs.debian.org
Subject: Bug#723124 marked as pending
Date: Sat, 23 Nov 2013 22:50:52 +0000
tag 723124 pending
thanks

Hello,

Bug #723124 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=pkg-freedesktop/poppler.git;a=commitdiff;h=03dc7c0

---
commit 03dc7c0c4ab7d792eecbd94234e1b46f2fbcf6c9
Author: Pino Toscano <pino@debian.org>
Date:   Sun Nov 17 18:52:09 2013 +0100

    fix CVE-2013-4473 and CVE-2013-4474 (#723124,  #729064)
    
    backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c and
    61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 to fix two string/format issues
    in pdfseparate

diff --git a/debian/changelog b/debian/changelog
index e23886b..bbb41f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,12 @@ poppler (0.18.4-9) UNRELEASED; urgency=low
 
   * Remove the custom RPATH handing on Hurd, since the issue does not affect
     the build anymore; remove the hurd-only chrpath build dependency.
+  * Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
+    upstream_pdfseparate-improve-the-path-building.patch)
+    and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
+    upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
+    issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
+    (Closes: #723124,  #729064)
 
  -- Pino Toscano <pino@debian.org>  Sun, 17 Nov 2013 18:26:58 +0100
 



Removed tag(s) pending. Request was from Pino Toscano <pino@debian.org> to control@bugs.debian.org. (Sat, 23 Nov 2013 23:06:05 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jan 2014 07:27:26 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:07:09 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.