[poppler] Fwd: Re: CVE-2012-2142 xpdf, poppler: Insufficient sanitization of escape sequences in the error messages

Adam Reichold adamreichold at myopera.com
Sat Dec 1 05:35:17 PST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Albert,

The upstream patch looks small enough. The runtime increase hit should
be close to irrelevant for error handling? Hence, I'd say being a good
citizen sounds like the sensible thing to do.

Best regards, Adam.

Am 01.12.2012 02:12, schrieb Albert Astals Cid:
> What is your opinion on this guys?
> 
> Basically the problem seems to be we can "print" in the error
> messages characters that will result in command codes that will
> result in shell terminals executing code.
> 
> I've already told the redhat people i consider this to be a shel
> terminal problem not a poppler one, but it doesn't mean we could
> try to "be good citizens" and help.
> 
> Any opinion on the proposed patch for upstream?
> 
> Cheers, Albert
> 
> 
> 
> _______________________________________________ poppler mailing
> list poppler at lists.freedesktop.org 
> http://lists.freedesktop.org/mailman/listinfo/poppler
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBAgAGBQJQugeVAAoJEPSSjE3STU34388IAMZTU2fCp9UsVAvjOQmD126J
qGMkMzoqVh03txBDVkGzMZHCl+mu4VyfDTUEjSRU5UhTw+7GbH31SYZXHECmyYMi
YkyU+rOViez1XwkP5y4bowk/H/Of6vG+ljXG1lNvSkaMb2rY2Sgs6iduzik0CrWy
sRE4DDSTL5+Ibd86SRq2i/UOj3+RLXDuBwGZHVzq3iwbc7GmnsCKv2nWs04k8x9j
FGP4XEsrLWliOuBLtAjuY7/kGw8eDJWBPil+05GQrhzUH4PBBszAQfQxfNrPJX0x
Ogie3GBILyHnvqdTgWkcz8/ZfCRHf2kO2u8odHtnxADZ5uNqZEHL3WvvmQSBEGA=
=IX5c
-----END PGP SIGNATURE-----


More information about the poppler mailing list