CVE-2009-3608

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2009-3608
Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.

9.3 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch Patch
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
http://poppler.freedesktop.org/ Patch Vendor Advisory
http://secunia.com/advisories/37028 Vendor Advisory
http://secunia.com/advisories/37034 Vendor Advisory
http://secunia.com/advisories/37037 Vendor Advisory
http://secunia.com/advisories/37043 Vendor Advisory
http://secunia.com/advisories/37051 Vendor Advisory
http://secunia.com/advisories/37053 Vendor Advisory
http://secunia.com/advisories/37054 Vendor Advisory
http://secunia.com/advisories/37061 Vendor Advisory
http://secunia.com/advisories/37077 Vendor Advisory
http://secunia.com/advisories/37079 Vendor Advisory
http://secunia.com/advisories/37114
http://secunia.com/advisories/37159
http://secunia.com/advisories/39327
http://secunia.com/advisories/39938
http://securitytracker.com/id?1023029 Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1
http://www.debian.org/security/2009/dsa-1941
http://www.debian.org/security/2010/dsa-2028
http://www.debian.org/security/2010/dsa-2050
http://www.mandriva.com/security/advisories?name=MDVSA-2009:287
http://www.mandriva.com/security/advisories?name=MDVSA-2009:334
http://www.mandriva.com/security/advisories?name=MDVSA-2011:175
http://www.ocert.org/advisories/ocert-2009-016.html
http://www.openwall.com/lists/oss-security/2009/12/01/1
http://www.openwall.com/lists/oss-security/2009/12/01/5
http://www.openwall.com/lists/oss-security/2009/12/01/6
http://www.securityfocus.com/bid/36703 Exploit Patch
http://www.ubuntu.com/usn/USN-850-1
http://www.ubuntu.com/usn/USN-850-3
http://www.vupen.com/english/advisories/2009/2924 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/2925 Vendor Advisory
http://www.vupen.com/english/advisories/2009/2926 Vendor Advisory
http://www.vupen.com/english/advisories/2009/2928 Vendor Advisory
http://www.vupen.com/english/advisories/2010/0802
http://www.vupen.com/english/advisories/2010/1220
https://bugzilla.redhat.com/show_bug.cgi?id=526637 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/53794
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9536
https://rhn.redhat.com/errata/RHSA-2009-1501.html
https://rhn.redhat.com/errata/RHSA-2009-1502.html
https://rhn.redhat.com/errata/RHSA-2009-1503.html
https://rhn.redhat.com/errata/RHSA-2009-1504.html
https://rhn.redhat.com/errata/RHSA-2009-1512.html
https://rhn.redhat.com/errata/RHSA-2009-1513.html
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:foolabs:xpdf:3.02pl1:*:*:*:*:*:*:*
cpe:2.3:a:foolabs:xpdf:3.02pl2:*:*:*:*:*:*:*
cpe:2.3:a:foolabs:xpdf:3.02pl3:*:*:*:*:*:*:*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:*:*:*:*:*:*:*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:*:*:*:*:*:*:*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:*:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.1.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.9:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.6:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.7:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.5:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.6:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.7:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.3:*:*:*:*:*:*:*
OR cpe:2.3:a:glyph_and_cog:pdftops:*:*:*:*:*:*:*:*
cpe:2.3:a:gnome:gpdf:*:*:*:*:*:*:*:*
cpe:2.3:a:kde:kpdf:*:*:*:*:*:*:*:*
cpe:2.3:a:tetex:tetex:*:*:*:*:*:*:*:*
History

13 Feb 2023, 02:20

Type Values Removed Values Added
Summary CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2009-3608', 'name': 'https://access.redhat.com/security/cve/CVE-2009-3608', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2009:1502', 'name': 'https://access.redhat.com/errata/RHSA-2009:1502', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2009:1512', 'name': 'https://access.redhat.com/errata/RHSA-2009:1512', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2009:1513', 'name': 'https://access.redhat.com/errata/RHSA-2009:1513', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2010:0400', 'name': 'https://access.redhat.com/errata/RHSA-2010:0400', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2009:1503', 'name': 'https://access.redhat.com/errata/RHSA-2009:1503', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2009:1501', 'name': 'https://access.redhat.com/errata/RHSA-2009:1501', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2009:1504', 'name': 'https://access.redhat.com/errata/RHSA-2009:1504', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2009-3608 -
  • (MISC) https://access.redhat.com/errata/RHSA-2009:1502 -
  • (MISC) https://access.redhat.com/errata/RHSA-2009:1512 -
  • (MISC) https://access.redhat.com/errata/RHSA-2009:1513 -
  • (MISC) https://access.redhat.com/errata/RHSA-2010:0400 -
  • (MISC) https://access.redhat.com/errata/RHSA-2009:1503 -
  • (MISC) https://access.redhat.com/errata/RHSA-2009:1501 -
  • (MISC) https://access.redhat.com/errata/RHSA-2009:1504 -
Summary Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016)
Information

Published : 2009-10-21 17:30

Updated : 2023-12-10 10:51

NVD link : CVE-2009-3608

Mitre link : CVE-2009-3608

CVE.ORG link : CVE-2009-3608

JSON object : View

Products Affected

glyphandcog

  • xpdfreader

poppler

  • poppler

gnome

  • gpdf

kde

  • kpdf

foolabs

  • xpdf

glyph_and_cog

  • pdftops

tetex

  • tetex
CWE
CWE-189

Numeric Errors