Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 28 Oct 2013 20:40:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Albert Astals Cid <aacid@....org>
Subject: Re: CVE request: 3 vulnerabilities in poppler and
 1 in Xpdf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/26/2013 02:45 PM, Pedro Ribeiro wrote:
> Hi,
> 
> There are 3 vulnerabilities in poppler and 1 in Xpdf that need CVE 
> attention. Can you please provide CVE's for the following?
> 
> - Race condition on temporary file (Windows) / Insecure temporary
> file (other non-Unix OS's), affecting poppler and Xpdf (reported by
> Pedro Ribeiro, unfixed in poppler, unfixed in Xpdf) -> Not sure if
> this is one or two vulnerabilities?

Please use CVE-2013-4472 for the Race condition on temporary file

> - Stack based buffer overflow, affecting poppler in the utils
> section (reported by Daniel Kahn Gillmor, fixed in poppler 0.24.2)

Please use CVE-2013-4473 for the Stack based buffer overflow

> - User controlled format string, affecting poppler in the utils 
> section (reported by Daniel Kahn Gillmor and Pedro Ribeiro, fixed
> in poppler 0.24.3)

Please use CVE-2013-4474 for the User controlled format string

> Note that the poppler maintainers are aware of the unfixed issue.
> Xpdf upstream appears to be dead since 2011 so I have not attempted
> to contact them.
> 
> Details on the vulnerabilities are below.
> 
> The first vulnerability is use of insecure temporary file for
> non-Unix OS's. As per the code comments, the maintainers are aware
> of this and welcome patches from anyone who knows of a better way
> to create temp files in Windows / other OS's. I have also checked
> Xpdf and the same vulnerable code is present, so the bug must be
> pretty old and all releases of poppler since forking from Xpdf
> should be affected. 
> ======================================================================
>
> 
Vulnerability: Race condition on temporary file access / Insecure
> Temporary File (CWE-363 / CWE-377) Filename(line):
> poppler-0.24.2/goo/gfile.cc(340-395) Code snippet:
> 
> There is a race condition and use of a insecure temporary file in
> the openTempFile function that enables an attacker to replace the
> temporary file with a symlink of his/her choosing. This only
> happens on non-Unix OS's (old MacOS, Windows, etc).
> 
> GBool openTempFile(GooString **name, FILE **f, const char *mode) { 
> #if defined(_WIN32) //---------- Win32 ---------- char *tempDir; 
> GooString *s, *s2; FILE *f2; int t, i;
> 
> // this has the standard race condition problem, but I haven't
> found // a better way to generate temp file names with extensions
> on // Windows if ((tempDir = getenv("TEMP"))) { s = new
> GooString(tempDir); s->append('\\'); } else { s = new GooString(); 
> } s->appendf("x_{0:d}_{1:d}_", (int)GetCurrentProcessId(),
> (int)GetCurrentThreadId()); t = (int)time(NULL); for (i = 0; i <
> 1000; ++i) { s2 = s->copy()->appendf("{0:d}", t + i); if (!(f2 =
> fopen(s2->getCString(), "r"))) { if (!(f2 = fopen(s2->getCString(),
> mode))) { delete s2; delete s; return gFalse; } *name = s2; *f =
> f2; delete s; return gTrue; } fclose(f2); delete s2; } delete s; 
> return gFalse; #elif defined(VMS) || defined(__EMX__) ||
> defined(ACORN) || defined(MACOS) //---------- non-Unix ---------- 
> char *s;
> 
> // There is a security hole here: an attacker can create a symlink 
> // with this file name after the tmpnam call and before the fopen 
> // call.  I will happily accept fixes to this function for
> non-Unix // OSs. if (!(s = tmpnam(NULL))) { return gFalse; } *name
> = new GooString(s); if (!(*f = fopen((*name)->getCString(), mode)))
> { delete (*name); *name = NULL; return gFalse; } return gTrue;
> 
> ======================================================================
>
> 
> 
> The second vulnerability is a buffer overflow in the pdfseparate 
> utility, and was reported by Daniel Kahn Gillmor. The buffer
> overflow was fixed in poppler 0.24.2 as per commit in [1].
> 
> The third vulnerability user controlled format string, which was 
> reported by Daniel Kahn Gillmor and Pedro Ribeiro separately to
> the poppler maintainers. This vulnerability was fixed on poppler
> 0.24.3 as per the commit in [2].
> 
> More details on the format string are below: 
> ======================================================================
>
> 
Vulnerability: Uncontrolled format string (CWE-124)
> Filename(line): poppler-0.24.2/utils/pdfseparate.cc(70) Code
> snippet:
> 
> bool extractPages (const char *srcFileName, const char
> *destFileName) { char pathName[4096]; GooString *gfileName = new
> GooString (srcFileName); PDFDoc *doc = new PDFDoc (gfileName, NULL,
> NULL, NULL);
> 
> ...
> 
> if (firstPage != lastPage && strstr(destFileName, "%d") == NULL) { 
> error(errSyntaxError, -1, "'{0:s}' must contain '%%d' if more than 
> one page should be extracted", destFileName); return false; } for
> (int pageNo = firstPage; pageNo <= lastPage; pageNo++) { snprintf
> (pathName, sizeof (pathName) - 1, destFileName, pageNo); ^ function
> parameter passed as format string
> 
> The function is called by main in line 110 directly passing the
> arguments: ok = extractPages (argv[1], argv[2]); ^ destFileName
> parameter
> 
> PoC: ./pdfseparate -f 1 -l 1 aPdfFile.pdf "%x%x%x%x%x%x%n"
> 
> ======================================================================
>
>  Regards, Pedro
> 
> [1]
> http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?id=b8682d868ddf7f741e93b
>
> 
[2]
http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSbyAzAAoJEBYNRVNeJnmTbOcQALu6snT7jFPKdflPPA2CklgJ
TIvvbQmEMITAh5W4Ejlgy0KknarZG/s8G/cKHoqtA8jcQsx3lwNoFMbjRDG7aapx
nCZd0WCDtD2P2KcXsH3+E2ZDbtG3YmaLxMETfoLFF/RQm1BUCUw+MHP/50lDAvDE
rvdxU6Fcl/9ul5Pu3hHGo+HR6dT07byCpLFCa5pUCBcdxotySKIgVOIV5LG5sNBp
jxN9BKHF8+mvbBuKgBrPwCCz3byW/N9hzQ/tFxHniXMknlHtvDOiwVUnnzB7D0GA
ptHHWTXa5bCWqzPcP3Z2sBXV+yAEq7D14eV4mPKe3iXaI896shtumLa0GqmVTH7w
JsFS4MEBEeZGS9ow08tJl8WK5TvBpLndb/vpBU8fSyX/fHDKIclpB5IkUf/Aosqz
/Cxfpj2h+paeXs1cgvpyCJZdqyzYMemX82o9K7ZLgvC1MbxEoWts98O0sr0sAQzg
+dvr2MVsf0Iuz/+dlTbfJgXojFdKnJaYTYpc3P4xHg9CpTBoDWm39vSqYEsdL0EF
IO6zT6clqlXHnmTFhSeZ9TGBOI/7SBH+Ygz+PdPc1m43rreMKFtdFHPaP0oaUcd9
ZhLWevSYRkYCeRK/9nFNcggjYh+/ppGo+Yiv2z5W0S62GQXekrfaYr5Un6jC7oRt
pnmLUL/ZmiF0+gfWp2Ar
=Hs/t
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.