Bug#1026908: pdfdetach: directory traversal
Jakub Wilk
jwilk at jwilk.net
Fri Dec 23 18:31:26 GMT 2022
Package: poppler-utils
Version: 22.08.0-2.1
Tags: security
pdfdetach(1) is vulnerable to directory traversal.
Proof of concept:
$ pwd
/home/jwilk/misc
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
$ pdfdetach -saveall traversal.pdf
$ ls /tmp/moo
/tmp/moo
OK, maybe I was supposed to use -o to specify the destination directory
explicitly... But that doesn't help either:
$ rm -f /tmp/moo
$ pdfdetach -o . -saveall traversal.pdf
$ ls -s /tmp/moo
/tmp/moo
-- System Information:
Architecture: i386
Versions of packages poppler-utils depends on:
ii libpoppler123 22.08.0-2.1
ii libc6 2.36-6
ii libcairo2 1.16.0-7
ii libfreetype6 2.12.1+dfsg-3
ii libgcc-s1 12.2.0-10
ii liblcms2-2 2.13.1-1+b1
ii libstdc++6 12.2.0-10
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: traversal.pdf
Type: application/pdf
Size: 851 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20221223/2c21803d/attachment.pdf>
More information about the Pkg-freedesktop-maintainers
mailing list