control: tag -1 patch control: tag -1 pending On Fri, Nov 8, 2013 at 8:32 AM, Moritz Muehlenhoff wrote: > Two security issues were found in the pdfseparate tool shipped by > poppler-utils:
Hi, I've uploaded an nmu fixing these two issue to delayed/5. Please see attached patch. Best wishes, Mike
diff -Nru poppler-0.18.4/debian/changelog poppler-0.18.4/debian/changelog --- poppler-0.18.4/debian/changelog 2013-08-20 13:12:45.000000000 -0400 +++ poppler-0.18.4/debian/changelog 2013-11-10 16:13:27.000000000 -0500 @@ -1,3 +1,11 @@ +poppler (0.18.4-8+nmu1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cve-2013-4473 and cve-2013-4474: buffer overflow and format string + issues in the pdfseparate tool (closes: 729064). + + -- Michael Gilbert <mgilb...@debian.org> Sun, 10 Nov 2013 20:42:23 +0000 + poppler (0.18.4-8) unstable; urgency=low * Remove the .la files from debian/tmp, to shorten the --list-missing output. diff -Nru poppler-0.18.4/debian/patches/cve-2013-4473.patch poppler-0.18.4/debian/patches/cve-2013-4473.patch --- poppler-0.18.4/debian/patches/cve-2013-4473.patch 1969-12-31 19:00:00.000000000 -0500 +++ poppler-0.18.4/debian/patches/cve-2013-4473.patch 2013-11-10 16:13:33.000000000 -0500 @@ -0,0 +1,24 @@ +description: buffer overflow in pdfseparate tool +origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4473 +Index: poppler-0.18.4/utils/pdfseparate.cc +=================================================================== +--- poppler-0.18.4.orig/utils/pdfseparate.cc 2013-11-10 21:08:46.366640853 +0000 ++++ poppler-0.18.4/utils/pdfseparate.cc 2013-11-10 21:08:46.366640853 +0000 +@@ -43,7 +43,7 @@ + }; + + bool extractPages (const char *srcFileName, const char *destFileName) { +- char pathName[1024]; ++ char pathName[4096]; + GooString *gfileName = new GooString (srcFileName); + PDFDoc *doc = new PDFDoc (gfileName, NULL, NULL, NULL); + +@@ -69,7 +69,7 @@ + return false; + } + for (int pageNo = firstPage; pageNo <= lastPage; pageNo++) { +- sprintf (pathName, destFileName, pageNo); ++ snprintf (pathName, sizeof (pathName) - 1, destFileName, pageNo); + GooString *gpageName = new GooString (pathName); + int errCode = doc->savePageAs(gpageName, pageNo); + if ( errCode != errNone) { diff -Nru poppler-0.18.4/debian/patches/cve-2013-4474.patch poppler-0.18.4/debian/patches/cve-2013-4474.patch --- poppler-0.18.4/debian/patches/cve-2013-4474.patch 1969-12-31 19:00:00.000000000 -0500 +++ poppler-0.18.4/debian/patches/cve-2013-4474.patch 2013-11-10 16:14:12.000000000 -0500 @@ -0,0 +1,53 @@ +description: format string issue +origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4474 +Index: poppler-0.18.4/utils/pdfseparate.cc +=================================================================== +--- poppler-0.18.4.orig/utils/pdfseparate.cc 2013-11-10 21:13:42.114643334 +0000 ++++ poppler-0.18.4/utils/pdfseparate.cc 2013-11-10 21:14:08.754643558 +0000 +@@ -18,6 +18,7 @@ + #include "PDFDoc.h" + #include "ErrorCodes.h" + #include "GlobalParams.h" ++#include <ctype.h> + + static int firstPage = 0; + static int lastPage = 0; +@@ -65,9 +66,37 @@ + if (firstPage == 0) + firstPage = 1; + if (firstPage != lastPage && strstr(destFileName, "%d") == NULL) { +- error(-1, "'%s' must contain '%%d' if more than one page should be extracted", destFileName); ++ error(-1, "'%s' must contain '%d' if more than one page should be extracted", destFileName); + return false; + } ++ ++ // destFileName can have multiple %% and one %d ++ // We use auxDestFileName to replace all the valid % appearances ++ // by 'A' (random char that is not %), if at the end of replacing ++ // any of the valid appearances there is still any % around, the ++ // pattern is wrong ++ char *auxDestFileName = strdup(destFileName); ++ // %% can appear as many times as you want ++ char *p = strstr(auxDestFileName, "%%"); ++ while (p != NULL) { ++ *p = 'A'; ++ *(p + 1) = 'A'; ++ p = strstr(p, "%%"); ++ } ++ // %d can appear only one time ++ p = strstr(auxDestFileName, "%d"); ++ if (p != NULL) { ++ *p = 'A'; ++ } ++ // at this point any other % is wrong ++ p = strstr(auxDestFileName, "%"); ++ if (p != NULL) { ++ error(-1, "'%s' can only contain one '%d' pattern", destFileName); ++ free(auxDestFileName); ++ return false; ++ } ++ free(auxDestFileName); ++ + for (int pageNo = firstPage; pageNo <= lastPage; pageNo++) { + snprintf (pathName, sizeof (pathName) - 1, destFileName, pageNo); + GooString *gpageName = new GooString (pathName); diff -Nru poppler-0.18.4/debian/patches/series poppler-0.18.4/debian/patches/series --- poppler-0.18.4/debian/patches/series 2013-08-20 09:53:24.000000000 -0400 +++ poppler-0.18.4/debian/patches/series 2013-11-10 16:13:39.000000000 -0500 @@ -10,3 +10,5 @@ upstream_Initialize-refLine-totally.patch CVE-2012-2142.diff upstream_pdfseparate.1-Syntax-fixes.patch +cve-2013-4473.patch +cve-2013-4474.patch
