[poppler] Fwd: Re: CVE-2012-2142 xpdf, poppler: Insufficient sanitization of escape sequences in the error messages

Albert Astals Cid aacid at kde.org
Sat Dec 1 12:24:38 PST 2012

El Dissabte, 1 de desembre de 2012, a les 15:03:51, William Bader va escriure:
> > Sure, we disagree there. Both me and the xpdf author agree it is a shell
> > issue, shells should not accept random commands from random outputs, if
> > they do, well it's their fault.
> > poppler tries to be as resilient as possible to broken pdf and not crash,
> > shells should do the same and be resilient to broken inputs.
> How can a shell protect against it?

No clue i'm not a shell developer ;-)

> If bash piped the stdout and stderr of every command through a filter,
> programs like emacs could never work. If a program wrote a huge amount of
> garbage and bash or xterm broke and started sending pushing some of the
> garbage into stdin, then I would agree that it would clearly be a shell
> bug.My old vt100 clone http://williambader.com/museum/cit101/cit101.html
> did that on occasion, and the only thing that saved me was the verbosity
> required in VAX/VMS to do anything useful. The case that I meant is that a
> program would send codes that made xterm redefine a key.  When the user
> later presses the key at a shell prompt, the shell has no way to know that
> the text came from a redefined key instead of from a human typing. In the
> old days, some users ran our programs through a vt100 emulator (or kermit)
> on a PC running MSDOS, and we had small script that they could run to
> customize the function keys to generate commands for our systems.

That's "the old days", we are in 2012 now ;-)

But anyway, let's discuss the patch please that is what i asked.


> William

More information about the poppler mailing list