CVE-2009-3609

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Integer overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read.

References

ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://poppler.freedesktop.org/

http://secunia.com/advisories/37023

http://secunia.com/advisories/37028

http://secunia.com/advisories/37034

http://secunia.com/advisories/37037

http://secunia.com/advisories/37043

http://secunia.com/advisories/37051

http://secunia.com/advisories/37054

http://secunia.com/advisories/37061

http://secunia.com/advisories/37077

http://secunia.com/advisories/37079

http://secunia.com/advisories/37114

http://secunia.com/advisories/37159

http://secunia.com/advisories/39327

http://secunia.com/advisories/39938

http://securitytracker.com/id?1023029

http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1

http://www.debian.org/security/2010/dsa-2028

http://www.debian.org/security/2010/dsa-2050

http://www.mandriva.com/security/advisories?name=MDVSA-2009:287

http://www.mandriva.com/security/advisories?name=MDVSA-2009:334

http://www.mandriva.com/security/advisories?name=MDVSA-2011:175

http://www.redhat.com/support/errata/RHSA-2010-0755.html

http://www.securityfocus.com/bid/36703

http://www.ubuntu.com/usn/USN-850-1

http://www.ubuntu.com/usn/USN-850-3

http://www.vupen.com/english/advisories/2009/2924

http://www.vupen.com/english/advisories/2009/2925

http://www.vupen.com/english/advisories/2009/2926

http://www.vupen.com/english/advisories/2009/2928

http://www.vupen.com/english/advisories/2010/0802

http://www.vupen.com/english/advisories/2010/1220

https://bugzilla.redhat.com/show_bug.cgi?id=526893

https://exchange.xforce.ibmcloud.com/vulnerabilities/53800

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11043

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8134

https://rhn.redhat.com/errata/RHSA-2009-1500.html

https://rhn.redhat.com/errata/RHSA-2009-1501.html

https://rhn.redhat.com/errata/RHSA-2009-1502.html

https://rhn.redhat.com/errata/RHSA-2009-1503.html

https://rhn.redhat.com/errata/RHSA-2009-1504.html

https://rhn.redhat.com/errata/RHSA-2009-1512.html

https://rhn.redhat.com/errata/RHSA-2009-1513.html

https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html

https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html

Details

Source: MITRE

Published: 2009-10-21

Updated: 2019-03-06

Type: CWE-189

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:a:foolabs:xpdf:3.02pl1:*:*:*:*:*:*:*

cpe:2.3:a:foolabs:xpdf:3.02pl2:*:*:*:*:*:*:*

cpe:2.3:a:foolabs:xpdf:3.02pl3:*:*:*:*:*:*:*

cpe:2.3:a:glyphandcog:xpdfreader:3.00:*:*:*:*:*:*:*

cpe:2.3:a:glyphandcog:xpdfreader:3.01:*:*:*:*:*:*:*

cpe:2.3:a:glyphandcog:xpdfreader:3.02:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.1.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.1.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.3.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.3.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.4.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.4.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.4.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.4.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.4.4:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.5.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.5.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.5.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.5.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.5.4:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.5.9:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.6.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.6.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.6.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.6.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.6.4:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.7.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.7.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.7.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.7.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.4:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.6:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.8.7:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.9.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.9.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.9.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.9.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.4:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.5:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.6:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.10.7:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.11.0:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.11.1:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.11.2:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:0.11.3:*:*:*:*:*:*:*

cpe:2.3:a:poppler:poppler:*:*:*:*:*:*:*:*

OR

cpe:2.3:a:glyph_and_cog:pdftops:*:*:*:*:*:*:*:*

cpe:2.3:a:gnome:gpdf:*:*:*:*:*:*:*:*

cpe:2.3:a:kde:kpdf:*:*:*:*:*:*:*:*

Tenable Plugins

View all (76 total)

IDNameProductFamilySeverity
70309GLSA-201310-03 : Poppler: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
68116Oracle Linux 4 : cups (ELSA-2010-0755)NessusOracle Linux Local Security Checks
medium
68040Oracle Linux 3 : tetex (ELSA-2010-0401)NessusOracle Linux Local Security Checks
medium
68039Oracle Linux 5 : tetex (ELSA-2010-0400)NessusOracle Linux Local Security Checks
high
68038Oracle Linux 4 : tetex (ELSA-2010-0399)NessusOracle Linux Local Security Checks
high
67944Oracle Linux 5 : cups (ELSA-2009-1513)NessusOracle Linux Local Security Checks
high
67943Oracle Linux 4 : kdegraphics (ELSA-2009-1512)NessusOracle Linux Local Security Checks
high
67942Oracle Linux 5 : poppler (ELSA-2009-1504)NessusOracle Linux Local Security Checks
high
67941Oracle Linux 4 : gpdf (ELSA-2009-1503)NessusOracle Linux Local Security Checks
high
67940Oracle Linux 4 : xpdf (ELSA-2009-1501)NessusOracle Linux Local Security Checks
high
67939Oracle Linux 3 : xpdf (ELSA-2009-1500)NessusOracle Linux Local Security Checks
high
60863Scientific Linux Security Update : cups on SL3.x, SL4.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60791Scientific Linux Security Update : tetex on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
60790Scientific Linux Security Update : tetex on SL4.x i386/x86_64NessusScientific Linux Local Security Checks
high
60789Scientific Linux Security Update : tetex on SL3.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60681Scientific Linux Security Update : xpdf on SL3.x, SL4.x i386/x86_64NessusScientific Linux Local Security Checks
high
60680Scientific Linux Security Update : poppler on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
60679Scientific Linux Security Update : kdegraphics on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
60678Scientific Linux Security Update : gpdf on SL4.x i386/x86_64NessusScientific Linux Local Security Checks
high
60677Scientific Linux Security Update : cups on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
49935SuSE 10 Security Update : xpdf (ZYPP Patch Number 6560)NessusSuSE Local Security Checks
high
49865SuSE 10 Security Update : kdegraphics3-pdf (ZYPP Patch Number 6652)NessusSuSE Local Security Checks
high
49842SuSE 10 Security Update : CUPS (ZYPP Patch Number 6721)NessusSuSE Local Security Checks
medium
49814CentOS 4 : cups (CESA-2010:0755)NessusCentOS Local Security Checks
medium
49802RHEL 4 : cups (RHSA-2010:0755)NessusRed Hat Local Security Checks
medium
48362Ubuntu 9.04 : koffice vulnerabilities (USN-973-1)NessusUbuntu Local Security Checks
critical
48156Mandriva Linux Security Advisory : cups (MDVSA-2009:280)NessusMandriva Local Security Checks
high
47275Fedora 11 : pdfedit-0.4.3-4.fc11 (2010-1842)NessusFedora Local Security Checks
high
47272Fedora 13 : pdfedit-0.4.3-4.fc13 (2010-1805)NessusFedora Local Security Checks
high
47251Fedora 12 : pdfedit-0.4.3-4.fc12 (2010-1377)NessusFedora Local Security Checks
high
46760CentOS 5 : tetex (CESA-2010:0400)NessusCentOS Local Security Checks
high
46709Debian DSA-2050-1 : kdegraphics - several vulnerabilitiesNessusDebian Local Security Checks
high
46310RHEL 3 : tetex (RHSA-2010:0401)NessusRed Hat Local Security Checks
medium
46309RHEL 5 : tetex (RHSA-2010:0400)NessusRed Hat Local Security Checks
high
46308RHEL 4 : tetex (RHSA-2010:0399)NessusRed Hat Local Security Checks
high
46258CentOS 3 : tetex (CESA-2010:0401)NessusCentOS Local Security Checks
medium
46257CentOS 4 : tetex (CESA-2010:0399)NessusCentOS Local Security Checks
high
45427Debian DSA-2028-1 : xpdf - multiple vulnerabilitiesNessusDebian Local Security Checks
high
44995Mandriva Linux Security Advisory : poppler (MDVSA-2010:055)NessusMandriva Local Security Checks
high
44806Debian DSA-1941-1 : poppler - several vulnerabilitiesNessusDebian Local Security Checks
high
43806CentOS 5 : cups (CESA-2009:1513)NessusCentOS Local Security Checks
high
43805CentOS 4 : kdegraphics (CESA-2009:1512)NessusCentOS Local Security Checks
high
43804CentOS 5 : poppler (CESA-2009:1504)NessusCentOS Local Security Checks
high
43803CentOS 4 : gpdf (CESA-2009:1503)NessusCentOS Local Security Checks
high
43802CentOS 5 : kdegraphics (CESA-2009:1502)NessusCentOS Local Security Checks
high
43801CentOS 4 : xpdf (CESA-2009:1501)NessusCentOS Local Security Checks
high
43613Mandriva Linux Security Advisory : kde (MDVSA-2009:346)NessusMandriva Local Security Checks
critical
43598SuSE9 Security Update : cups, cups-client, cups-devel, cups-libs (YOU Patch Number 12561)NessusSuSE Local Security Checks
medium
43389SuSE 10 Security Update : CUPS (ZYPP Patch Number 6720)NessusSuSE Local Security Checks
medium
43363Mandriva Linux Security Advisory : koffice (MDVSA-2009:336)NessusMandriva Local Security Checks
high
42816SuSE 10 Security Update : kdegraphics3-pdf (ZYPP Patch Number 6653)NessusSuSE Local Security Checks
high
42815openSUSE 10 Security Update : cups (cups-6565)NessusSuSE Local Security Checks
high
42814openSUSE Security Update : kdegraphics3-pdf (kdegraphics3-pdf-1536)NessusSuSE Local Security Checks
high
42813openSUSE Security Update : kdegraphics3-pdf (kdegraphics3-pdf-1536)NessusSuSE Local Security Checks
high
42422openSUSE 10 Security Update : xpdf (xpdf-6558)NessusSuSE Local Security Checks
high
42419openSUSE Security Update : xpdf (xpdf-1397)NessusSuSE Local Security Checks
high
42417openSUSE Security Update : xpdf (xpdf-1397)NessusSuSE Local Security Checks
high
42406SuSE 10 Security Update : xpdf (ZYPP Patch Number 6556)NessusSuSE Local Security Checks
high
42344Ubuntu 9.10 : poppler vulnerabilities (USN-850-3)NessusUbuntu Local Security Checks
high
42294Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : poppler (SSA:2009-302-02)NessusSlackware Local Security Checks
high
42293Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 9.1 / current : xpdf (SSA:2009-302-01)NessusSlackware Local Security Checks
high
42280Fedora 11 : poppler-0.10.7-3.fc11 (2009-10845)NessusFedora Local Security Checks
high
42279Fedora 10 : poppler-0.8.7-7.fc10 (2009-10823)NessusFedora Local Security Checks
high
42215Mandriva Linux Security Advisory : xpdf (MDVSA-2009:287-1)NessusMandriva Local Security Checks
high
42207Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : poppler vulnerabilities (USN-850-1)NessusUbuntu Local Security Checks
high
42194Fedora 10 : xpdf-3.02-15.fc10 (2009-10694)NessusFedora Local Security Checks
high
42192Fedora 11 : xpdf-3.02-15.fc11 (2009-10648)NessusFedora Local Security Checks
high
42181Mandriva Linux Security Advisory : cups (MDVSA-2009:282-1)NessusMandriva Local Security Checks
critical
42165RHEL 5 : cups (RHSA-2009:1513)NessusRed Hat Local Security Checks
high
42164RHEL 4 : kdegraphics (RHSA-2009:1512)NessusRed Hat Local Security Checks
high
42163RHEL 5 : poppler (RHSA-2009:1504)NessusRed Hat Local Security Checks
high
42162RHEL 4 : gpdf (RHSA-2009:1503)NessusRed Hat Local Security Checks
high
42161RHEL 5 : kdegraphics (RHSA-2009:1502)NessusRed Hat Local Security Checks
high
42160RHEL 4 : xpdf (RHSA-2009:1501)NessusRed Hat Local Security Checks
high
42159RHEL 3 : xpdf (RHSA-2009:1500)NessusRed Hat Local Security Checks
high
42151CentOS 3 : xpdf (CESA-2009:1500)NessusCentOS Local Security Checks
high