[poppler] Fwd: Re: CVE-2012-2142 xpdf, poppler: Insufficient sanitization of escape sequences in the error messages
Adam Reichold
adamreichold at myopera.com
Sat Dec 1 05:35:17 PST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Albert,
The upstream patch looks small enough. The runtime increase hit should
be close to irrelevant for error handling? Hence, I'd say being a good
citizen sounds like the sensible thing to do.
Best regards, Adam.
Am 01.12.2012 02:12, schrieb Albert Astals Cid:
> What is your opinion on this guys?
>
> Basically the problem seems to be we can "print" in the error
> messages characters that will result in command codes that will
> result in shell terminals executing code.
>
> I've already told the redhat people i consider this to be a shel
> terminal problem not a poppler one, but it doesn't mean we could
> try to "be good citizens" and help.
>
> Any opinion on the proposed patch for upstream?
>
> Cheers, Albert
>
>
>
> _______________________________________________ poppler mailing
> list poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBAgAGBQJQugeVAAoJEPSSjE3STU34388IAMZTU2fCp9UsVAvjOQmD126J
qGMkMzoqVh03txBDVkGzMZHCl+mu4VyfDTUEjSRU5UhTw+7GbH31SYZXHECmyYMi
YkyU+rOViez1XwkP5y4bowk/H/Of6vG+ljXG1lNvSkaMb2rY2Sgs6iduzik0CrWy
sRE4DDSTL5+Ibd86SRq2i/UOj3+RLXDuBwGZHVzq3iwbc7GmnsCKv2nWs04k8x9j
FGP4XEsrLWliOuBLtAjuY7/kGw8eDJWBPil+05GQrhzUH4PBBszAQfQxfNrPJX0x
Ogie3GBILyHnvqdTgWkcz8/ZfCRHf2kO2u8odHtnxADZ5uNqZEHL3WvvmQSBEGA=
=IX5c
-----END PGP SIGNATURE-----
More information about the poppler
mailing list