Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch for CVE-2017-7698 #19

Merged
merged 1 commit into from May 8, 2017
Merged

Conversation

0ca
Copy link
Contributor

@0ca 0ca commented May 8, 2017

This patch fixes a Use After Free vulnerability in the xpdf code used by swftools.

@matthiaskramm matthiaskramm merged commit c7747f4 into matthiaskramm:master May 8, 2017
@matthiaskramm
Copy link
Owner

Thanks for the patch!

@0ca
Copy link
Contributor Author

0ca commented May 23, 2017

Just for reference, this vulnerability, correctly exploited, allows remote attackers to execute arbitrary code. So it is very recommended to use the patched version of swftools.

@r0mai
Copy link
Contributor

r0mai commented Jul 10, 2020

@0ca can you give some more context how this can be exploited? Maybe you have an example pdf that at least causes a crash?

Sorry for commenting on a three year old patch, I'm hoping you have still have some notes on this :)

The reason I'm asking is because there are legitimate pdfs out in the wild that have mismatched q and Q commands which are rendered by all pdf viewers. With this patch pdf2swf rejects these pdfs. I would like to fix xpdf and pdf2swf in a way that still accepts these pdfs sans the security vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants