Bug 789936 (CVE-2012-2142) - CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error messages
Summary: CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2012-2142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 995400 995401 995402 1013943
Blocks: 789948
TreeView+ depends on / blocked
 
Reported: 2012-02-13 10:18 UTC by Jan Lieskovsky
Modified: 2021-06-11 21:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-11 21:04:31 UTC


Attachments (Terms of Use)
Proposed poppler patch by Marek Kasik (against upstream poppler version) (1.50 KB, patch)
2013-08-09 08:41 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2012-02-13 10:18:24 UTC
An insufficient escape sequences sanitization flaw was found in the way xpdf, a PDF file viewer for the X window system, and poppler, a PDF rendering library, performed sanitization of certain characters to be displayed in the error messages, which arose during presentation of certain PDF files. A remote attacker could use this flaw to modify a window's title, or, possibly execute arbitrary commands or overwrite files, via a specially-crafted PDF file containing an escape sequence for a terminal emulator if local, unsuspecting user opened such crafted PDF file in xpdf or in an application linked against poppler library (for example evince).

Comment 5 Jan Lieskovsky 2012-02-13 10:33:07 UTC
This issue affects the versions of the poppler package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the poppler package, as shipped with Fedora release of 18 and 19.

--

This issue affects the versions of the xpdf package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.

--

This issue affects the versions of the poppler package, as shipped with Fedora release of 18 and 19.

Comment 22 Jan Lieskovsky 2012-04-26 15:53:45 UTC
The CVE identifier of CVE-2012-2142 has been assigned to this issue.

Comment 24 Jan Lieskovsky 2012-04-27 13:20:52 UTC
Acknowledgements:

Red Hat would like to thank Phillips Wolf for reporting this issue.

Comment 25 Jan Lieskovsky 2013-08-09 08:41:01 UTC
Created attachment 784759 [details]
Proposed poppler patch by Marek Kasik (against upstream poppler version)

Comment 26 Jan Lieskovsky 2013-08-09 09:24:18 UTC
Created poppler tracking bugs for this issue:

Affects: fedora-all [bug 995400]

Comment 27 Jan Lieskovsky 2013-08-09 09:25:41 UTC
Created xpdf tracking bugs for this issue:

Affects: fedora-all [bug 995401]
Affects: epel-all [bug 995402]

Comment 28 Jan Lieskovsky 2013-08-09 09:34:02 UTC
Relevant poppler Git repository patch:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=71bad47ed6a36d825b0d08992c8db56845c71e40

Comment 29 Jan Lieskovsky 2013-08-11 12:26:15 UTC
(In reply to Jan Lieskovsky from comment #28)
> Relevant poppler Git repository patch:
>  
> http://cgit.freedesktop.org/poppler/poppler/commit/
> ?id=71bad47ed6a36d825b0d08992c8db56845c71e40

Poppler patch modified against xpdf-3.0.3:
(from http://www.openwall.com/lists/oss-security/2013/08/11/1):
  http://sourceforge.net/projects/miscellaneouspa/files/misc/xpdf-3.03-CVE-2012-2142.diff

Comment 30 Fedora Update System 2013-09-03 22:27:13 UTC
poppler-0.20.2-16.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2013-10-01 02:05:45 UTC
xpdf-3.03-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2013-10-01 02:07:38 UTC
xpdf-3.03-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2013-10-01 02:11:11 UTC
xpdf-3.03-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2013-10-08 20:37:16 UTC
xpdf-3.03-8.el5.1 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 37 Fedora Update System 2013-10-08 20:38:32 UTC
xpdf-3.03-8.el6.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 39 Product Security DevOps Team 2021-06-11 21:04:31 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2012-2142


Note You need to log in before you can comment on or make changes to this bug.