'Re: [oss-security] CVE request: 3 vulnerabilities in poppler and 1 in Xpdf'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: 3 vulnerabilities in poppler and 1 in Xpdf
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-10-29 2:40:51
Message-ID: 526F2033.1000209 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/26/2013 02:45 PM, Pedro Ribeiro wrote:
> Hi,
> 
> There are 3 vulnerabilities in poppler and 1 in Xpdf that need CVE 
> attention. Can you please provide CVE's for the following?
> 
> - Race condition on temporary file (Windows) / Insecure temporary
> file (other non-Unix OS's), affecting poppler and Xpdf (reported by
> Pedro Ribeiro, unfixed in poppler, unfixed in Xpdf) -> Not sure if
> this is one or two vulnerabilities?

Please use CVE-2013-4472 for the Race condition on temporary file

> - Stack based buffer overflow, affecting poppler in the utils
> section (reported by Daniel Kahn Gillmor, fixed in poppler 0.24.2)

Please use CVE-2013-4473 for the Stack based buffer overflow

> - User controlled format string, affecting poppler in the utils 
> section (reported by Daniel Kahn Gillmor and Pedro Ribeiro, fixed
> in poppler 0.24.3)

Please use CVE-2013-4474 for the User controlled format string

> Note that the poppler maintainers are aware of the unfixed issue.
> Xpdf upstream appears to be dead since 2011 so I have not attempted
> to contact them.
> 
> Details on the vulnerabilities are below.
> 
> The first vulnerability is use of insecure temporary file for
> non-Unix OS's. As per the code comments, the maintainers are aware
> of this and welcome patches from anyone who knows of a better way
> to create temp files in Windows / other OS's. I have also checked
> Xpdf and the same vulnerable code is present, so the bug must be
> pretty old and all releases of poppler since forking from Xpdf
> should be affected. 
> ======================================================================
>
> 
Vulnerability: Race condition on temporary file access / Insecure
> Temporary File (CWE-363 / CWE-377) Filename(line):
> poppler-0.24.2/goo/gfile.cc(340-395) Code snippet:
> 
> There is a race condition and use of a insecure temporary file in
> the openTempFile function that enables an attacker to replace the
> temporary file with a symlink of his/her choosing. This only
> happens on non-Unix OS's (old MacOS, Windows, etc).
> 
> GBool openTempFile(GooString **name, FILE **f, const char *mode) { 
> #if defined(_WIN32) //---------- Win32 ---------- char *tempDir; 
> GooString *s, *s2; FILE *f2; int t, i;
> 
> // this has the standard race condition problem, but I haven't
> found // a better way to generate temp file names with extensions
> on // Windows if ((tempDir = getenv("TEMP"))) { s = new
> GooString(tempDir); s->append('\\'); } else { s = new GooString(); 
> } s->appendf("x_{0:d}_{1:d}_", (int)GetCurrentProcessId(),
> (int)GetCurrentThreadId()); t = (int)time(NULL); for (i = 0; i <
> 1000; ++i) { s2 = s->copy()->appendf("{0:d}", t + i); if (!(f2 =
> fopen(s2->getCString(), "r"))) { if (!(f2 = fopen(s2->getCString(),
> mode))) { delete s2; delete s; return gFalse; } *name = s2; *f =
> f2; delete s; return gTrue; } fclose(f2); delete s2; } delete s; 
> return gFalse; #elif defined(VMS) || defined(__EMX__) ||
> defined(ACORN) || defined(MACOS) //---------- non-Unix ---------- 
> char *s;
> 
> // There is a security hole here: an attacker can create a symlink 
> // with this file name after the tmpnam call and before the fopen 
> // call.  I will happily accept fixes to this function for
> non-Unix // OSs. if (!(s = tmpnam(NULL))) { return gFalse; } *name
> = new GooString(s); if (!(*f = fopen((*name)->getCString(), mode)))
> { delete (*name); *name = NULL; return gFalse; } return gTrue;
> 
> ======================================================================
>
> 
> 
> The second vulnerability is a buffer overflow in the pdfseparate 
> utility, and was reported by Daniel Kahn Gillmor. The buffer
> overflow was fixed in poppler 0.24.2 as per commit in [1].
> 
> The third vulnerability user controlled format string, which was 
> reported by Daniel Kahn Gillmor and Pedro Ribeiro separately to
> the poppler maintainers. This vulnerability was fixed on poppler
> 0.24.3 as per the commit in [2].
> 
> More details on the format string are below: 
> ======================================================================
>
> 
Vulnerability: Uncontrolled format string (CWE-124)
> Filename(line): poppler-0.24.2/utils/pdfseparate.cc(70) Code
> snippet:
> 
> bool extractPages (const char *srcFileName, const char
> *destFileName) { char pathName[4096]; GooString *gfileName = new
> GooString (srcFileName); PDFDoc *doc = new PDFDoc (gfileName, NULL,
> NULL, NULL);
> 
> ...
> 
> if (firstPage != lastPage && strstr(destFileName, "%d") == NULL) { 
> error(errSyntaxError, -1, "'{0:s}' must contain '%%d' if more than 
> one page should be extracted", destFileName); return false; } for
> (int pageNo = firstPage; pageNo <= lastPage; pageNo++) { snprintf
> (pathName, sizeof (pathName) - 1, destFileName, pageNo); ^ function
> parameter passed as format string
> 
> The function is called by main in line 110 directly passing the
> arguments: ok = extractPages (argv[1], argv[2]); ^ destFileName
> parameter
> 
> PoC: ./pdfseparate -f 1 -l 1 aPdfFile.pdf "%x%x%x%x%x%x%n"
> 
> ======================================================================
>
>  Regards, Pedro
> 
> [1]
> http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?id=b8682d868ddf7f741e93b
>
> 
[2]
http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSbyAzAAoJEBYNRVNeJnmTbOcQALu6snT7jFPKdflPPA2CklgJ
TIvvbQmEMITAh5W4Ejlgy0KknarZG/s8G/cKHoqtA8jcQsx3lwNoFMbjRDG7aapx
nCZd0WCDtD2P2KcXsH3+E2ZDbtG3YmaLxMETfoLFF/RQm1BUCUw+MHP/50lDAvDE
rvdxU6Fcl/9ul5Pu3hHGo+HR6dT07byCpLFCa5pUCBcdxotySKIgVOIV5LG5sNBp
jxN9BKHF8+mvbBuKgBrPwCCz3byW/N9hzQ/tFxHniXMknlHtvDOiwVUnnzB7D0GA
ptHHWTXa5bCWqzPcP3Z2sBXV+yAEq7D14eV4mPKe3iXaI896shtumLa0GqmVTH7w
JsFS4MEBEeZGS9ow08tJl8WK5TvBpLndb/vpBU8fSyX/fHDKIclpB5IkUf/Aosqz
/Cxfpj2h+paeXs1cgvpyCJZdqyzYMemX82o9K7ZLgvC1MbxEoWts98O0sr0sAQzg
+dvr2MVsf0Iuz/+dlTbfJgXojFdKnJaYTYpc3P4xHg9CpTBoDWm39vSqYEsdL0EF
IO6zT6clqlXHnmTFhSeZ9TGBOI/7SBH+Ygz+PdPc1m43rreMKFtdFHPaP0oaUcd9
ZhLWevSYRkYCeRK/9nFNcggjYh+/ppGo+Yiv2z5W0S62GQXekrfaYr5Un6jC7oRt
pnmLUL/ZmiF0+gfWp2Ar
=Hs/t
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic