pdfinfo sends arbitrary bytes to stdout
I've found a pdf file whose "producer" string has an embedded NUL byte in it. running pdfinfo
on it sends the NUL byte to stdout.
This suggested to me that a suitably nasty PDF document can emit terminal escape sequences, which is potentially a security vulnerability (e.g. similar to CVE-2009-4487).
x.pdf is a relatively benign PDF that demonstrates some of this. It will set the window title, add a fake Subject:
line (via an injected \n
), set some colors, and add some blinking text if you run pdfinfo x.pdf
. I have not tried to weaponize it, but i don't think it would be hard to do, if pdfinfo
is run in a vulnerable terminal. (see the console_codes(4)
manpage to read up on the range of things that terminal escape sequences can do in some contexts)
Interestingly, an embedded NUL bytes makes it so that a typical pdfinfo | grep
pipeline fails, because grep says Binary file (standard input) matches
. So even if it were safe (it's not, because the ability to inject newlines screws up pdfinfo
's structured output), you'd have to use grep -a
to force grep to consider it not a binary file.
pdfinfo should probably try to render any document-supplied text more carefully.