Bugzilla – Bug 847907
VUL-0: CVE-2013-4472 CVE-2013-4473 CVE-2013-4474: poppler: 3 security issues
Last modified: 2019-11-08 01:11:25 UTC
via oss-sec http://comments.gmane.org/gmane.comp.security.oss.general/11380 From: Pedro Ribeiro <pedrib@gmail.com> Date: Sat, 26 Oct 2013 21:45:56 +0100 Subject: [oss-security] CVE request: 3 vulnerabilities in poppler and 1 in Xpdf Hi, There are 3 vulnerabilities in poppler and 1 in Xpdf that need CVE attention. Can you please provide CVE's for the following? - Race condition on temporary file (Windows) / Insecure temporary file (other non-Unix OS's), affecting poppler and Xpdf (reported by Pedro Ribeiro, unfixed in poppler, unfixed in Xpdf) -> Not sure if this is one or two vulnerabilities? - Stack based buffer overflow, affecting poppler in the utils section (reported by Daniel Kahn Gillmor, fixed in poppler 0.24.2) - User controlled format string, affecting poppler in the utils section (reported by Daniel Kahn Gillmor and Pedro Ribeiro, fixed in poppler 0.24.3) Note that the poppler maintainers are aware of the unfixed issue. Xpdf upstream appears to be dead since 2011 so I have not attempted to contact them. Details on the vulnerabilities are below. The first vulnerability is use of insecure temporary file for non-Unix OS's. As per the code comments, the maintainers are aware of this and welcome patches from anyone who knows of a better way to create temp files in Windows / other OS's. I have also checked Xpdf and the same vulnerable code is present, so the bug must be pretty old and all releases of poppler since forking from Xpdf should be affected. ====================================================================== Vulnerability: Race condition on temporary file access / Insecure Temporary File (CWE-363 / CWE-377) Filename(line): poppler-0.24.2/goo/gfile.cc(340-395) Code snippet: There is a race condition and use of a insecure temporary file in the openTempFile function that enables an attacker to replace the temporary file with a symlink of his/her choosing. This only happens on non-Unix OS's (old MacOS, Windows, etc). GBool openTempFile(GooString **name, FILE **f, const char *mode) { #if defined(_WIN32) //---------- Win32 ---------- char *tempDir; GooString *s, *s2; FILE *f2; int t, i; // this has the standard race condition problem, but I haven't found // a better way to generate temp file names with extensions on // Windows if ((tempDir = getenv("TEMP"))) { s = new GooString(tempDir); s->append('\\'); } else { s = new GooString(); } s->appendf("x_{0:d}_{1:d}_", (int)GetCurrentProcessId(), (int)GetCurrentThreadId()); t = (int)time(NULL); for (i = 0; i < 1000; ++i) { s2 = s->copy()->appendf("{0:d}", t + i); if (!(f2 = fopen(s2->getCString(), "r"))) { if (!(f2 = fopen(s2->getCString(), mode))) { delete s2; delete s; return gFalse; } *name = s2; *f = f2; delete s; return gTrue; } fclose(f2); delete s2; } delete s; return gFalse; #elif defined(VMS) || defined(__EMX__) || defined(ACORN) || defined(MACOS) //---------- non-Unix ---------- char *s; // There is a security hole here: an attacker can create a symlink // with this file name after the tmpnam call and before the fopen // call. I will happily accept fixes to this function for non-Unix // OSs. if (!(s = tmpnam(NULL))) { return gFalse; } *name = new GooString(s); if (!(*f = fopen((*name)->getCString(), mode))) { delete (*name); *name = NULL; return gFalse; } return gTrue; ====================================================================== The second vulnerability is a buffer overflow in the pdfseparate utility, and was reported by Daniel Kahn Gillmor. The buffer overflow was fixed in poppler 0.24.2 as per commit in [1]. The third vulnerability user controlled format string, which was reported by Daniel Kahn Gillmor and Pedro Ribeiro separately to the poppler maintainers. This vulnerability was fixed on poppler 0.24.3 as per the commit in [2]. More details on the format string are below: ====================================================================== Vulnerability: Uncontrolled format string (CWE-124) Filename(line): poppler-0.24.2/utils/pdfseparate.cc(70) Code snippet: bool extractPages (const char *srcFileName, const char *destFileName) { char pathName[4096]; GooString *gfileName = new GooString (srcFileName); PDFDoc *doc = new PDFDoc (gfileName, NULL, NULL, NULL); ... if (firstPage != lastPage && strstr(destFileName, "%d") == NULhttp://comments.gmane.org/gmane.comp.security.oss.general/11380L) { error(errSyntaxError, -1, "'{0:s}' must contain '%%d' if more than one page should be extracted", destFileName); return false; } for (int pageNo = firstPage; pageNo <= lastPage; pageNo++) { snprintf (pathName, sizeof (pathName) - 1, destFileName, pageNo); ^ function parameter passed as format string The function is called by main in line 110 directly passing the arguments: ok = extractPages (argv[1], argv[2]); ^ destFileName parameter PoC: ./pdfseparate -f 1 -l 1 aPdfFile.pdf "%x%x%x%x%x%x%n" ====================================================================== Regards, Pedro [1] http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?id=b8682d868ddf7f741e93b [2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
Kurt assigned: > - Race condition on temporary file (Windows) / Insecure temporary > file (other non-Unix OS's), affecting poppler and Xpdf (reported by > Pedro Ribeiro, unfixed in poppler, unfixed in Xpdf) -> Not sure if > this is one or two vulnerabilities? Please use CVE-2013-4472 for the Race condition on temporary file > - Stack based buffer overflow, affecting poppler in the utils > section (reported by Daniel Kahn Gillmor, fixed in poppler 0.24.2) Please use CVE-2013-4473 for the Stack based buffer overflow > - User controlled format string, affecting poppler in the utils > section (reported by Daniel Kahn Gillmor and Pedro Ribeiro, fixed > in poppler 0.24.3) Please use CVE-2013-4474 for the User controlled format string
opensuse 12.2: two CVEs are in the pdfseparata tool and get caught by FORTIFY_SOURCE CVE-2013-4474: pdfseparate -f 1 -l 1 MTP_Enhanced.pdf "%x%x%x%x%x%x%n" *** %n in writable segment detected *** Aborted (FORTIFY_SOURCE) CVE-2013-4473: pdfseparate -f 1 -l 1 MTP_Enhanced.pdf `perl -e 'print "a" x 2048;'` *** buffer overflow detected ***: pdfseparate terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fafc77849d7] /lib64/libc.so.6(+0xf7af0)[0x7fafc7782af0] /lib64/libc.so.6(+0xf6f79)[0x7fafc7781f79] /lib64/libc.so.6(_IO_default_xsputn+0x89)[0x7fafc7701349] (FORTIFY_SOURCE)
Also CVE-2013-4472 does not affect Linux. pdfextract is not in SLES 11 poppler (was added in a later poppler version). So only openSUSE is affected, not SLE. As fortify source captures this nicely, an update is not strictly required.
bugbot adjusting priority
Update was not really needed, and release out of support, closing
This is an autogenerated message for OBS integration: This bug (847907) was mentioned in https://build.opensuse.org/request/show/738876 Backports:SLE-15-SP1 / poppler-qt5
This is an autogenerated message for OBS integration: This bug (847907) was mentioned in https://build.opensuse.org/request/show/745853 Backports:SLE-15-SP1 / poppler-qt5
This is an autogenerated message for OBS integration: This bug (847907) was mentioned in https://build.opensuse.org/request/show/746440 Backports:SLE-15-SP1 / poppler-qt5