CVE-2009-3050
published 2009-09-02CVE-2009-3050: Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long…
PriorityP340critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
4.38%
90.1th percentile
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | htmldoc | < htmldoc 1.8.27-4.1 (bookworm) | htmldoc 1.8.27-4.1 (bookworm) |
| htmldoc | htmldoc | <= 1.8.27 | — |
| htmldoc | htmldoc | — | — |
| htmldoc | htmldoc | — | — |
| htmldoc | htmldoc | — | — |
| htmldoc_project | htmldoc | >= 0 < 1.8.27-4.1 | 1.8.27-4.1 |
| htmldoc_project | htmldoc | >= 0 < 1.8.27-4.1 | 1.8.27-4.1 |
| htmldoc_project | htmldoc | >= 0 < 1.8.27-4.1 | 1.8.27-4.1 |
| htmldoc_project | htmldoc | >= 0 < 1.8.27-4.1 | 1.8.27-4.1 |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qmc2-x7wp-66p7: Buffer overflow in the set_page_size function in util
ghsa_unreviewed·2022-05-02
CVE-2009-3050 [HIGH] CWE-119 GHSA-qmc2-x7wp-66p7: Buffer overflow in the set_page_size function in util
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
OSV
CVE-2009-3050: Buffer overflow in the set_page_size function in util
osv·2009-09-02·CVSS 10.0
CVE-2009-3050 [CRITICAL] CVE-2009-3050: Buffer overflow in the set_page_size function in util
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
Red Hat
HTMLDOC: Stack-based buffer overflow when setting custom page output size
vendor_redhat·2009-07-14·CVSS 10.0
CVE-2009-3050 [CRITICAL] CWE-121 HTMLDOC: Stack-based buffer overflow when setting custom page output size
HTMLDOC: Stack-based buffer overflow when setting custom page output size
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
Debian
CVE-2009-3050: htmldoc - Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and ...
vendor_debian·2009·CVSS 10.0
CVE-2009-3050 [CRITICAL] CVE-2009-3050: htmldoc - Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and ...
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
Scope: local
bookworm: resolved (fixed in 1.8.27-4.1)
bullseye: resolved (fixed in 1.8.27-4.1)
forky: resolved (fixed in 1.8.27-4.1)
sid: resolved (fixed in 1.8.27-4.1)
trixie: resolved (fixed in 1.8.27-4.1)
No detection rules found.
No public exploits indexed.
http://bugs.gentoo.org/show_bug.cgi?id=278186http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txthttp://secunia.com/advisories/35780http://www.htmldoc.org/str.php?L214http://www.openwall.com/lists/oss-security/2009/07/25/3http://www.openwall.com/lists/oss-security/2009/07/26/2http://www.openwall.com/lists/oss-security/2009/09/01/1http://bugs.gentoo.org/show_bug.cgi?id=278186http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txthttp://secunia.com/advisories/35780http://www.htmldoc.org/str.php?L214http://www.openwall.com/lists/oss-security/2009/07/25/3http://www.openwall.com/lists/oss-security/2009/07/26/2http://www.openwall.com/lists/oss-security/2009/09/01/1
2009-09-02
Published