Bug 69434 - segmentation fault (and probable stack smashing) in pdfseparate
Summary: segmentation fault (and probable stack smashing) in pdfseparate
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: utils (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-16 18:25 UTC by Daniel Kahn Gillmor
Modified: 2013-10-23 23:06 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Description Daniel Kahn Gillmor 2013-09-16 18:25:49 UTC
originally reported at http://bugs.debian.org/723124 --

utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.

bool extractPages (const char *srcFileName, const char *destFileName) {
  char pathName[1024];
 /* ... */
   sprintf (pathName, destFileName, pageNo);

This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.

A) they could provide a srcFileName long enough to overflow pathName.
   this will write to arbitrary memory.

B) they could provide a destFileName with other sprintf placeholders
   besides %d, which would effectively be invoked while pointing to
   uninitialized memory.

easy segfault:

 pdfseparate multipage.pdf test-%s-%d.pdf

I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.
Comment 1 Pino Toscano 2013-09-16 18:48:33 UTC
(In reply to comment #0)
> A) they could provide a srcFileName long enough to overflow pathName.
>    this will write to arbitrary memory.

This has been fixed by me in b8682d868ddf7f741e93b791588af0932893f95c.
Comment 2 Albert Astals Cid 2013-09-25 18:36:33 UTC
About B) I know it's fun, but I mean, someone is already running a command line application into your computer, I think they have easier ways to exploit you than finding a way to make pdfseparate crash, no?
Comment 3 Daniel Kahn Gillmor 2013-09-25 18:45:37 UTC
Alas, web applications often invoke command-line tools that do "reasonable" things (like splitting a PDF), and they invoke them sometimes in "reasonable" ways (e.g. by providing the name of an uploaded file with a suffix as an argument).

We can argue about whether these things are actually "reasonable", but people will still do them, and pdfseparate probably shouldn't crash or execute arbitrary code in the meantime.
Comment 4 Albert Astals Cid 2013-09-25 18:52:18 UTC
Well, I guess it should not be that hard to write a check that there is no other % than one %d and pairs of %%. Anyone up to the task?
Comment 5 Albert Astals Cid 2013-10-23 23:06:11 UTC
will be fixed in next vesion


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.