CVE-2009-4274

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.

References

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/converter/ppm/xpmtoppm.c?view=patch&r1=995&r2=1076&pathrev=1076

http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/doc/HISTORY?view=markup

http://secunia.com/advisories/38530

http://secunia.com/advisories/38915

http://www.debian.org/security/2010/dsa-2026

http://www.mandriva.com/security/advisories?name=MDVSA-2010:039

http://www.openwall.com/lists/oss-security/2010/02/09/11

http://www.redhat.com/support/errata/RHSA-2011-1811.html

http://www.securityfocus.com/bid/38164

http://www.vupen.com/english/advisories/2010/0358

http://www.vupen.com/english/advisories/2010/0780

https://bugzilla.redhat.com/show_bug.cgi?id=546580

https://exchange.xforce.ibmcloud.com/vulnerabilities/56207

Details

Source: MITRE

Published: 2010-02-12

Updated: 2017-08-17

Type: CWE-119

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:netpbm:netpbm:10.0:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.1:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.2:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.3:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.4:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.5:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.6:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.7:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.8:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.9:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.10:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.11:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.12:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.13:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.14:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.15:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.16:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.17:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.18:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.19:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.20:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.21:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.22:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.23:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.24:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.25:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.26:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.27:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.28:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.29:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.30:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.31:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.32:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.33:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.34:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.01:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.02:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.03:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.04:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.05:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.06:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.07:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.08:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.09:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.10:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.11:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.12:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.13:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.14:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.15:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.16:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.17:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.18:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.19:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.20:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.21:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.22:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.23:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.24:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.25:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.26:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.27:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.28:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.29:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.30:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.31:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.32:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.33:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.34:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.35:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.36:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.37:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.38:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.39:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.40:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.41:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.42:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.43:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.44:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.45:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.46:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.35.47:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.36.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.37.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.38.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.39.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.40.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.41.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.42.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.43.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.44.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.45.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.46.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.00:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.01:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.02:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.03:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.04:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.05:*:*:*:*:*:*:*

cpe:2.3:a:netpbm:netpbm:10.47.06:*:*:*:*:*:*:*

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
70868GLSA-201311-08 : Netpbm: User-assisted arbitrary code executionNessusGentoo Local Security Checks
high
68404Oracle Linux 4 / 5 : netpbm (ELSA-2011-1811)NessusOracle Linux Local Security Checks
high
61204Scientific Linux Security Update : netpbm on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
57140CentOS 4 / 5 : netpbm (CESA-2011:1811)NessusCentOS Local Security Checks
high
57081RHEL 4 / 5 : netpbm (RHSA-2011:1811)NessusRed Hat Local Security Checks
high
49880SuSE 10 Security Update : netpbm (ZYPP Patch Number 6852)NessusSuSE Local Security Checks
high
46192Ubuntu 8.04 LTS / 9.04 / 9.10 : netpbm-free vulnerability (USN-934-1)NessusUbuntu Local Security Checks
high
45407Debian DSA-2026-1 : netpbm-free - stack-based buffer overflowNessusDebian Local Security Checks
high
45003SuSE 10 Security Update : netpbm (ZYPP Patch Number 6851)NessusSuSE Local Security Checks
high
45002SuSE 11 Security Update : libnetpbm (SAT Patch Number 1999)NessusSuSE Local Security Checks
high
45001openSUSE Security Update : libnetpbm-devel (libnetpbm-devel-2011)NessusSuSE Local Security Checks
high
45000openSUSE Security Update : libnetpbm-devel (libnetpbm-devel-2011)NessusSuSE Local Security Checks
high
44999openSUSE Security Update : libnetpbm-devel (libnetpbm-devel-2011)NessusSuSE Local Security Checks
high
44998SuSE9 Security Update : netpbm (YOU Patch Number 12588)NessusSuSE Local Security Checks
high
44650Mandriva Linux Security Advisory : netpbm (MDVSA-2010:039)NessusMandriva Local Security Checks
high