[poppler] Fwd: Re: CVE-2012-2142 xpdf, poppler: Insufficient sanitization of escape sequences in the error messages

William Bader williambader at hotmail.com
Sat Dec 1 12:03:51 PST 2012

> Sure, we disagree there. Both me and the xpdf author agree it is a shell issue, 
> shells should not accept random commands from random outputs, if they do, well 
> it's their fault.
> poppler tries to be as resilient as possible to broken pdf and not crash, 
> shells should do the same and be resilient to broken inputs.

How can a shell protect against it?
If bash piped the stdout and stderr of every command through a filter, programs like emacs could never work.
If a program wrote a huge amount of garbage and bash or xterm broke and started sending pushing some of the garbage into stdin, then I would agree that it would clearly be a shell bug.My old vt100 clone http://williambader.com/museum/cit101/cit101.html did that on occasion, and the only thing that saved me was the verbosity required in VAX/VMS to do anything useful.
The case that I meant is that a program would send codes that made xterm redefine a key.  When the user later presses the key at a shell prompt, the shell has no way to know that the text came from a redefined key instead of from a human typing.
In the old days, some users ran our programs through a vt100 emulator (or kermit) on a PC running MSDOS, and we had small script that they could run to customize the function keys to generate commands for our systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20121201/2b71c797/attachment.html>

More information about the poppler mailing list