[poppler] Fwd: Re: CVE-2012-2142 xpdf, poppler: Insufficient sanitization of escape sequences in the error messages
William Bader
williambader at hotmail.com
Sat Dec 1 10:34:34 PST 2012
vt100's and some xterms have softkeys that can be set with escape codes.Back in the 80's when we had vt100's on pdp11's and vaxen in the office, we sometimes played tricks on each other by reprogramming terminals through escape codes.In theory, if poppler writes raw data from a pdf in an error message, someone could create a pdf that would lead poppler to redefine a function key (or maybe even the "enter" key) to generate a malicious command.It is an issue for anyone who runs programs using poppler at a command line.William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20121201/df9340a8/attachment.html>
More information about the poppler
mailing list