Debian Bug report logs -
#487773
poppler: un-sanitized error messages (CVE-2012-2142)
Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 24 Jun 2008 01:12:01 UTC
Severity: normal
Found in version poppler/0.8.2-2
Fixed in version poppler/0.18.4-7
Done: Pino Toscano <pino@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Marc 'HE' Brockschmidt <he@debian.org>
:
Bug#487773
; Package evince
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
:
New Bug report received and forwarded. Copy sent to Marc 'HE' Brockschmidt <he@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: evince
Version: 2.22.2-1
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A pdf file that i tried to read recently causes evince to send what
appears to be raw binary data to stderr. A transcript of this
activity is shown below, along with the output of pdfinfo on the pdf
itself.
This behavior seems potentially dangerous, given that some terminal
emulators (at least rxvt-unicode, in my testing here) interpret
certain binary data as a form of instructions about how to manipulate
the terminal itself (this perhaps suggests another bug on
rxvt-unicode).
At any rate, i don't see a way to interpret this data cleanly, so it's
not clear to me what the advantage is to be gained by dumping it in
binary form to stderr.
I'm attaching the evince-output file to this message so you can see
it.
Unfortunately, the document itself that i discovered this in is not
mine to post to a public bug tracker. If an evince developer or
packager wants to see the file, i can check with the original author
of the file to see if this document (or an anonymized version) can be
published or at least shown to the developers. Please let me know if
i should pursue this.
Thanks for maintaining evince in debian,
--dkg
0 dkg@squeak:~$ evince tmp/foo.pdf >/dev/null 2>tmp/evince-output
0 dkg@squeak:~$ hd tmp/evince-output
00000000 45 72 72 6f 72 20 28 35 34 39 38 36 29 3a 20 55 |Error (54986): U|
00000010 6e 6b 6e 6f 77 6e 20 6f 70 65 72 61 74 6f 72 20 |nknown operator |
00000020 27 e6 9d 39 42 8b bd 27 0a 45 72 72 6f 72 20 28 |'..9B..'.Error (|
00000030 35 34 39 38 38 29 3a 20 55 6e 6b 6e 6f 77 6e 20 |54988): Unknown |
00000040 6f 70 65 72 61 74 6f 72 20 27 51 ad 56 0b 33 05 |operator 'Q.V.3.|
00000050 42 32 27 0a 45 72 72 6f 72 20 28 35 35 30 32 33 |B2'.Error (55023|
00000060 29 3a 20 55 6e 6b 6e 6f 77 6e 20 6f 70 65 72 61 |): Unknown opera|
00000070 74 6f 72 20 27 05 2a d1 d7 3f 03 4f 61 d3 90 9d |tor '.*..?.Oa...|
00000080 48 24 be b7 ee df 23 f9 3a ec fc 77 84 34 01 fb |H$....#.:..w.4..|
00000090 23 ce 1f 4a 3d 9c c4 27 0a 45 72 72 6f 72 20 28 |#..J=..'.Error (|
000000a0 35 35 30 32 33 29 3a 20 49 6e 74 65 72 6e 61 6c |55023): Internal|
000000b0 3a 20 67 6f 74 20 27 45 49 27 20 6f 70 65 72 61 |: got 'EI' opera|
000000c0 74 6f 72 0a 45 72 72 6f 72 20 28 35 34 39 38 36 |tor.Error (54986|
000000d0 29 3a 20 55 6e 6b 6e 6f 77 6e 20 6f 70 65 72 61 |): Unknown opera|
000000e0 74 6f 72 20 27 e6 9d 39 42 8b bd 27 0a 45 72 72 |tor '..9B..'.Err|
000000f0 6f 72 20 28 35 34 39 38 38 29 3a 20 55 6e 6b 6e |or (54988): Unkn|
00000100 6f 77 6e 20 6f 70 65 72 61 74 6f 72 20 27 51 ad |own operator 'Q.|
00000110 56 0b 33 05 42 32 27 0a 45 72 72 6f 72 20 28 35 |V.3.B2'.Error (5|
00000120 35 30 32 33 29 3a 20 55 6e 6b 6e 6f 77 6e 20 6f |5023): Unknown o|
00000130 70 65 72 61 74 6f 72 20 27 05 2a d1 d7 3f 03 4f |perator '.*..?.O|
00000140 61 d3 90 9d 48 24 be b7 ee df 23 f9 3a ec fc 77 |a...H$....#.:..w|
00000150 84 34 01 fb 23 ce 1f 4a 3d 9c c4 27 0a 45 72 72 |.4..#..J=..'.Err|
00000160 6f 72 20 28 35 35 30 32 33 29 3a 20 49 6e 74 65 |or (55023): Inte|
00000170 72 6e 61 6c 3a 20 67 6f 74 20 27 45 49 27 20 6f |rnal: got 'EI' o|
00000180 70 65 72 61 74 6f 72 0a |perator.|
00000188
0 dkg@squeak:~$ pdfinfo foo.pdf
Title: Microsoft Word - Foo.doc
Author: Someone
Creator: PScript5.dll Version 5.2.2
Producer: GPL Ghostscript 8.15
CreationDate: Sun Jun 22 21:39:36 2008
ModDate: Sun Jun 22 21:39:36 2008
Tagged: no
Pages: 16
Encrypted: no
Page size: 612 x 792 pts (letter)
File size: 232720 bytes
Optimized: no
PDF version: 1.4
0 dkg@squeak:~$
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages evince depends on:
ii gconf2 2.22.0-1 GNOME configuration database syste
ii gnome-icon-theme 2.22.0-1 GNOME Desktop icon theme
ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libbonobo2-0 2.22.0-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.22.0-1 The Bonobo UI library
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcairo2 1.6.4-1+b1 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.1-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst
ii libdjvulibre21 3.5.20-6 Runtime support for the DjVu image
ii libfontconfig1 2.5.0-2 generic font configuration library
ii libfreetype6 2.3.5-1+lenny1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.3.1-2 GCC support library
ii libgconf2-4 2.22.0-1 GNOME configuration database syste
ii libglade2-0 1:2.6.2-1 library to load .glade files at ru
ii libglib2.0-0 2.16.3-2 The GLib library of C routines
ii libgnome-keyring0 2.22.2-1 GNOME keyring services library
ii libgnome2-0 2.20.1.1-1 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.20.1.1-1 A powerful object-oriented display
ii libgnomeui-0 2.20.1.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.22.0-3 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.12.9-3 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libkpathsea4 2007.dfsg.1-4 TeX Live: path search library for
ii libnautilus-extension1 2.20.0-4 libraries for nautilus components
ii liborbit2 1:2.14.13-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.20.2-2 Layout and rendering of internatio
ii libpixman-1-0 0.10.0-2 pixel-manipulation library for X a
ii libpng12-0 1.2.27-1 PNG library - runtime
ii libpoppler-glib3 0.8.2-2 PDF rendering library (GLib-based
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libspectre1 0.2.0.ds-1 Library for rendering Postscript d
ii libstdc++6 4.3.1-2 The GNU Standard C++ Library v3
ii libtiff4 3.8.2-10 Tag Image File Format (TIFF) libra
ii libx11-6 2:1.1.4-2 X11 client-side library
ii libxml2 2.6.32.dfsg-2 GNOME XML library
ii libxrender1 1:0.9.4-1 X Rendering Extension client libra
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages evince recommends:
ii dbus-x11 1.2.1-2 simple interprocess messaging syst
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBSGBJL8zS7ZTSFznpAQI6TRAAhXUX29WzGHrHEG1dSKdxxg8Hy8LPSaa/
IdUJXZbNwGX/yyC14YU6DL7BhOQw9edUSr17RTxm5tERAXGNoN+ysQDz9tIJMo/O
dZeqarhk0ocf+Quyf0CiJGWmawgyY+elsVLKlBrvF68q13aM1+zcM1i8IatYd+jn
2dZX0Tw9RBD8bMj7PYboprIT2tcB2n7+oPcHWSaHo73oMZZBwjozOQF5cTfLGBqj
GNf8hUguqayA7uMlujC54kJPE4HSeajVIqKt/DLgz0/5ii2+dkypweI1aRs1EEz7
wWcjo9FprlkVRFdpK+39G+TeGYTaGBWDBaVjzl1jhLyaUIwHLzAbRSgtJlZ4fCrA
FcTNfIxud/cR0hj784NMEaYmfpBOEmnVCHzUKw4s+MErdE98afh63rfOQmfpchVR
H7+EPYN0h6vin5uY8tzuXSIye7UT7fK2GhyM5uVek23DHj3uxjJCyem+dmL3npbL
mB8UiMJwDzikjmLJG2LvOpazkKlhtEMi/xZKFLc//N36A+9DUkfCKxNVdWHE9XHX
Qb1EmZoHqOSUNHmmHzPZCpuyZO89LXw3zrV4lZ2C+dfY3rU8DucoeejTcqpBS0OB
aT1WQbhVVPjyzInzOKJwpF+YTtcKdZ4WbbXB9bju40nYKXQsNgAQPcdkfw/xF47D
2CNF0XGlSqI=
=X94E
-----END PGP SIGNATURE-----
[evince-output (application/octet-stream, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marc 'HE' Brockschmidt <he@debian.org>
:
Bug#487773
; Package evince
.
(full text, mbox, link).
Acknowledgement sent to Sven Arvidsson <sa@whiz.se>
:
Extra info received and forwarded to list. Copy sent to Marc 'HE' Brockschmidt <he@debian.org>
.
(full text, mbox, link).
Message #10 received at 487773@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
reassign 487773 libpoppler-glib3 0.8.2-2
thanks
On Mon, 2008-06-23 at 21:09 -0400, Daniel Kahn Gillmor wrote:
> A pdf file that i tried to read recently causes evince to send what
> appears to be raw binary data to stderr. A transcript of this
> activity is shown below, along with the output of pdfinfo on the pdf
> itself.
Hi,
I'm pretty sure these messages come from poppler, so I will reassign the
bug accordingly.
--
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 760BDD22
[signature.asc (application/pgp-signature, inline)]
Changed Bug submitter from Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net>
to control@bugs.debian.org
.
(Thu, 26 Mar 2009 13:42:32 GMT) (full text, mbox, link).
No longer marked as found in versions poppler/0.8.2-2.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Tue, 17 Mar 2015 00:00:30 GMT) (full text, mbox, link).
Marked as found in versions poppler/0.8.2-2.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Tue, 17 Mar 2015 00:00:31 GMT) (full text, mbox, link).
Changed Bug title to 'poppler: un-sanitized error messages (CVE-2012-2142)' from 'Some pdf files cause evince to generate binary output to stderr '.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Mon, 25 Apr 2016 22:51:05 GMT) (full text, mbox, link).
Marked as fixed in versions poppler/0.18.4-7.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Mon, 25 Apr 2016 22:51:05 GMT) (full text, mbox, link).
Reply sent
to Pino Toscano <pino@debian.org>
:
You have taken responsibility.
(Sat, 08 Oct 2016 18:06:04 GMT) (full text, mbox, link).
Notification sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>
:
Bug acknowledged by developer.
(Sat, 08 Oct 2016 18:06:04 GMT) (full text, mbox, link).
Message #29 received at 487773-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
this bug was fixed long ago already, in version 0.18.4-7 -- hence
closing.
Thanks for the report,
--
Pino Toscano
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 06 Nov 2016 07:29:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:37:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.