CVE-2009-3608

high

Description

Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.

References

ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch

http://secunia.com/advisories/37034

http://www.securityfocus.com/bid/36703

http://www.vupen.com/english/advisories/2009/2925

http://www.vupen.com/english/advisories/2009/2926

http://secunia.com/advisories/37054

http://secunia.com/advisories/37053

http://poppler.freedesktop.org/

https://rhn.redhat.com/errata/RHSA-2009-1512.html

https://rhn.redhat.com/errata/RHSA-2009-1503.html

http://secunia.com/advisories/37051

http://secunia.com/advisories/37061

http://securitytracker.com/id?1023029

http://secunia.com/advisories/37028

https://rhn.redhat.com/errata/RHSA-2009-1504.html

http://www.vupen.com/english/advisories/2009/2928

https://bugzilla.redhat.com/show_bug.cgi?id=526637

http://www.vupen.com/english/advisories/2009/2924

https://rhn.redhat.com/errata/RHSA-2009-1513.html

https://rhn.redhat.com/errata/RHSA-2009-1501.html

http://secunia.com/advisories/37037

http://secunia.com/advisories/37043

https://rhn.redhat.com/errata/RHSA-2009-1502.html

http://secunia.com/advisories/37077

http://www.ocert.org/advisories/ocert-2009-016.html

http://secunia.com/advisories/37079

http://www.mandriva.com/security/advisories?name=MDVSA-2009:287

http://secunia.com/advisories/37159

https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html

https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html

http://www.ubuntu.com/usn/USN-850-1

http://secunia.com/advisories/37114

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://www.debian.org/security/2009/dsa-1941

http://www.openwall.com/lists/oss-security/2009/12/01/5

http://www.openwall.com/lists/oss-security/2009/12/01/1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1

http://www.openwall.com/lists/oss-security/2009/12/01/6

http://www.ubuntu.com/usn/USN-850-3

http://www.mandriva.com/security/advisories?name=MDVSA-2009:334

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html

http://www.vupen.com/english/advisories/2010/0802

http://www.debian.org/security/2010/dsa-2028

http://secunia.com/advisories/39327

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1

http://www.debian.org/security/2010/dsa-2050

http://secunia.com/advisories/39938

http://www.vupen.com/english/advisories/2010/1220

http://www.mandriva.com/security/advisories?name=MDVSA-2011:175

https://exchange.xforce.ibmcloud.com/vulnerabilities/53794

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9536

Details

Source: MITRE

Published: 2009-10-21

Updated: 2023-02-13

Type: CWE-189

Risk Information

CVSS v2

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH