| Summary: | app-text/poppler: Insufficient sanitization of escape sequences in the error messages (CVE-2012-2142) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | reavertm |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2013/08/09/5 | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
That commmit went in long before poppler-0.22, and we do not have any affected versions in the tree at least since 11 Apr 2013. Robo-adding sec bugs without any version reference does not really make maintainers enthusiastic, mind you. Nothing else to do for KDE team here. Filing GLSA. Nothing to do for printing team here. This issue was resolved and addressed in GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml by GLSA coordinator Sean Amoss (ackle). |
From ${URL} : An insufficient escape sequences sanitization flaw was found in the way xpdf, a PDF file viewer for the X window system, and poppler, a PDF rendering library, performed sanitization of certain characters to be displayed in the error messages, which arose during presentation of certain PDF files. A remote attacker could use this flaw to modify a window's title, or, possibly execute arbitrary commands or overwrite files, via a specially-crafted PDF file containing an escape sequence for a terminal emulator if local, unsuspecting user opened such crafted PDF file in xpdf or in an application linked against poppler library (for example evince). References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2142 Poppler upstream patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=71bad47ed6a36d825b0d08992c8db56845c71e40 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.