Podatność CVE-2009-3604
Publikacja: 2009-10-21   Modyfikacja: 2012-02-13

Opis:
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow.

W naszej bazie, znaleźliśmy następujące noty dla tego CVE:
Tytuł
Autor
Data
High
Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce
Adam Zabrocki
16.10.2009

Typ:

CWE-399

 (Resource Management Errors)

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
9.3/10
10/10
8.6/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Średnia
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Pełny
Pełny
Pełny
Affected software
Poppler -> Poppler 
Glyphandcog -> Xpdfreader 
Foolabs -> XPDF 

 Referencje:
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2
http://cgit.freedesktop.org/poppler/poppler/diff/?id=284a928996&id2=75c3466ba2
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
http://securitytracker.com/id?1023029
http://site.pi3.com.pl/adv/xpdf.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1
http://www.debian.org/security/2010/dsa-2028
http://www.debian.org/security/2010/dsa-2050
http://www.mandriva.com/security/advisories?name=MDVSA-2009:287
http://www.mandriva.com/security/advisories?name=MDVSA-2010:087
http://www.mandriva.com/security/advisories?name=MDVSA-2011:175
http://www.securityfocus.com/bid/36703
http://www.ubuntu.com/usn/USN-850-1
http://www.ubuntu.com/usn/USN-850-3
http://www.vupen.com/english/advisories/2009/2924
http://www.vupen.com/english/advisories/2009/2928
http://www.vupen.com/english/advisories/2010/0802
http://www.vupen.com/english/advisories/2010/1040
http://www.vupen.com/english/advisories/2010/1220
https://bugzilla.redhat.com/show_bug.cgi?id=526911
https://exchange.xforce.ibmcloud.com/vulnerabilities/53795
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10969
https://rhn.redhat.com/errata/RHSA-2009-1500.html
https://rhn.redhat.com/errata/RHSA-2009-1501.html
https://rhn.redhat.com/errata/RHSA-2009-1502.html
https://rhn.redhat.com/errata/RHSA-2009-1503.html
https://rhn.redhat.com/errata/RHSA-2009-1512.html
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html
Copyright 2024, cxsecurity.com

 

Back to Top