Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 242930 (CVE-2009-1144) - <app-text/xpdf-3.02-r2 xpdfrc is read from current directory (CVE-2009-1144)
Summary: <app-text/xpdf-3.02-r2 xpdfrc is read from current directory (CVE-2009-1144)
Status: RESOLVED FIXED
Alias: CVE-2009-1144
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-20 19:51 UTC by Erik Wallin
Modified: 2009-04-10 20:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Wallin 2008-10-20 19:51:54 UTC
xpdf reads it's settings from an xpdfrc file in the current directory.

The psFile setting is evaluated in a shell and would be executed by the user running xpdf if a document is printed.

This was discovered when trying to change the settings in /etc/xpdfrc. It didn't work, so the bug also affects function.

# strace xpdf 2>&1 |fgrep xpdfrc
open("/home/erikw/.xpdfrc", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("xpdfrc", O_RDONLY)                = 3

Steps to reproduce (with the risk of overstating the obvious):

Alyssa P Hacker:
alyssa@mowitz ~ $ echo 'psFile "|lpr                           ;echo echo Your account has been compromised.>>~/.bashrc; lpr"' > xpdfrc

Ben Bitdiddle:
ben@mowitz ~ $ cd ~alyssa
ben@mowitz alyssa $ xpdf somefile.pdf

<ben prints somefile>

ben@mowitz alyssa $ bash
Your account has been compromised.
<Ben panics>

The spaces after lpr are there to fool Ben. The nasty part of the command is not visible in the Gui.
Comment 1 Erik Wallin 2008-10-20 20:27:03 UTC
Note that if ~/.xpdfrc exists, the xpdfrc file in the current directory is not read.

I believe the xpdfrc it tries to open from the current directory is supposed to be the global xpdfrc, but the build process is not setting the path correctly.

Creating a ~/.xpdfrc would be a workaround for this bug.
Comment 2 Erik Wallin 2008-10-21 13:13:47 UTC
I looked more into this last night after reporting it. I could not attach more information until now.

From what I found so far this is a problem in both poppler and xpdf. Solving it in poppler would solve it in xpdf as well.

The SYSTEM_XPDFRC variable is not set by the configure script in poppler. There should be a default value, but it seems to be missing.

It looks as if this problem is in the poppler package itself, not the ebuild.

Although it could be patched, the package maintainer should be notified before publishing anything, since other distributions would also be affected.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-12 23:16:24 UTC
(In reply to comment #2)
> I looked more into this last night after reporting it. I could not attach more
> information until now.
> 
> From what I found so far this is a problem in both poppler and xpdf. Solving it
> in poppler would solve it in xpdf as well.
> 
> The SYSTEM_XPDFRC variable is not set by the configure script in poppler. There
> should be a default value, but it seems to be missing.
> 
> It looks as if this problem is in the poppler package itself, not the ebuild.
> 
> Although it could be patched, the package maintainer should be notified before
> publishing anything, since other distributions would also be affected.

Hi Erik, thanks for your report and sorry for the delay. Did you get an answer from upstream about it?
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-17 21:39:28 UTC
Erik, did you get an answer from upstream?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-03-21 13:59:31 UTC
This is a Gentoo-specific vulnerability in the Xpdf ebuild. We are 
shipping a repackaged version of Xpdf [1] that links against the system 
poppler library. It has the Goo* code and original build system 
removed, and builds the Xpdf binary with a custom Makefile which does 
not set SYSTEM_XPDFRC.

Xpdf's behaviour in config.h then is to assume ".", which leads to the 
unfortunate situation that "xpdfrc" is loaded from the current working 
directory if no other configuration is specified via call arguments or 
present in the user's home directory.

[1]http://gentooexperimental.org/~genstef/dist/xpdf-3.02-poppler-20071121.tar.bz2
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-03-21 14:02:31 UTC
This has been previously reported as bug 200023, but without mentioning the security impact. The bug also contains an ebuild with the fix (and another bugfix, I did not check that fix's sanity).

Peter, can you please prepare an ebuild at least fixing the -DSYSTEM_XPDFRC situation and attach it to this bug? We will do prestable testing here.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-03-26 11:39:59 UTC
CVE-2009-1144 has been reserved for this Gentoo specifc issue.
Comment 8 Peter Alfredsen (RETIRED) gentoo-dev 2009-03-29 18:48:42 UTC
+*xpdf-3.02-r2 (29 Mar 2009)
+
+  29 Mar 2009; Peter Alfredsen <loki_val@gentoo.org> +xpdf-3.02-r2.ebuild:
+  Bump. Fixes bug 200023. Thanks to KIMURA Masaru / hiyuh
+  <hiyuh.root@gmail.com> for the fix and Joseph <syscon780@gmail.com> for
+  the report.
+
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 09:50:17 UTC
Arch Security Liaisons, please test and mark stable:
=app-text/xpdf-3.02-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

Note that the security impact of this bump is still considered under embargo, so please do not reference this stabling as such. We can add the bug reference to the ChangeLog later.

CC'ing current Liaisons:
   alpha : klausman, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2009-04-02 11:50:41 UTC
Stable on sparc.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-02 17:08:43 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-04-02 17:17:26 UTC
Adding ranger, removing corsair since he's being retired or is retired already.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-04-02 17:21:06 UTC
alpha/arm/ia64/sh/x86 stable
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2009-04-02 18:47:36 UTC
Marked ppc/ppc64 stable.
Comment 15 Markus Meier gentoo-dev 2009-04-02 21:57:47 UTC
amd64 stable (approved by Tester)
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-04-07 10:05:28 UTC
This is now public.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-04-07 10:06:25 UTC
I added this bug to the ChangeLog for easier reference in the future.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-04-07 10:18:39 UTC
GLSA 200904-07
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-10 20:28:43 UTC
CVE-2009-1144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1144):
  Untrusted search path vulnerability in the Gentoo package of Xpdf
  before 3.02-r2 allows local users to gain privileges via a Trojan
  horse xpdfrc file in the current working directory, related to an
  unset SYSTEM_XPDFRC macro in a Gentoo build process that uses the
  poppler library.