Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
P
poppler
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 613
    • Issues 613
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 39
    • Merge Requests 39
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #776

Closed
Open
Opened Jun 07, 2019 by Daniel Kahn Gillmor@dkg

pdfinfo sends arbitrary bytes to stdout

I've found a pdf file whose "producer" string has an embedded NUL byte in it. running pdfinfo on it sends the NUL byte to stdout.

This suggested to me that a suitably nasty PDF document can emit terminal escape sequences, which is potentially a security vulnerability (e.g. similar to CVE-2009-4487).

x.pdf is a relatively benign PDF that demonstrates some of this. It will set the window title, add a fake Subject: line (via an injected \n), set some colors, and add some blinking text if you run pdfinfo x.pdf. I have not tried to weaponize it, but i don't think it would be hard to do, if pdfinfo is run in a vulnerable terminal. (see the console_codes(4) manpage to read up on the range of things that terminal escape sequences can do in some contexts)

Interestingly, an embedded NUL bytes makes it so that a typical pdfinfo | grep pipeline fails, because grep says Binary file (standard input) matches. So even if it were safe (it's not, because the ability to inject newlines screws up pdfinfo's structured output), you'd have to use grep -a to force grep to consider it not a binary file.

pdfinfo should probably try to render any document-supplied text more carefully.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: poppler/poppler#776