99309 – dev-perl/PDF-Create is (very) outdated, potential security problem with "(" in string printing

Bug 99309 - dev-perl/PDF-Create is (very) outdated, potential security problem with "(" in string printing

Summary: dev-perl/PDF-Create is (very) outdated, potential security problem with "(" i...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Library (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Perl team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-07-17 03:54 UTC by Matthias Wenzel
Modified:	2005-07-18 03:40 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Wenzel 2005-07-17 03:54:42 UTC

The latest version from 2001 is 0.06.1b (!)
The homepage should point to http://sourceforge.net/projects/perl-pdf/
There are serious problems in the string passing routines in version 0.01 (which
is the current in gentoo and CPAN)


Reproducible: Always
Steps to Reproduce:
#!/usr/bin/perl -w
use strict;
use PDF::Create;

my $pdf = new PDF::Create('filename' => 'mypdf.pdf');
my $root = $pdf->new_page('MediaBox' => [ 0, 0, 612, 792 ]);
my $f1 = $pdf->font('Subtype'  => 'Type1',
        'Encoding' => 'WinAnsiEncoding',
        'BaseFont' => 'Helvetica');

$root->stringc($f1, 40, 306, 426, "PDF::Create (not so cool");

$pdf->close;

Actual Results:  
something between "acroread won't show the page" and "the pdf page shows a
memorydump of the perl process"

Comment 1 Michael Cummings (RETIRED) gentoo-dev

2005-07-18 03:40:41 UTC

bumped, tested, posted.