CVE-2009-3608

CWE-189 CWE-190 — Integer Overflow10 documents8 sources

Severity

9.3CRITICAL

EPSS

12.7%

top 6.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Poppler Poppler Foolabs Xpdf Glyphandcog Xpdfreader

Timeline

PublishedOct 21

Latest updateMay 3

Description

Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages5 packages

▶Debianxpdf< 3.02-2+3

▶Debianpoppler< 0.12.2-1+3

▶NVDpoppler/poppler0.12.0+51

▶NVDfoolabs/xpdf3.02pl1, 3.02pl2, 3.02pl3+2

▶NVDglyphandcog/xpdfreader3.00, 3.01, 3.02+2

Patches

Patch: ftp.foolabs.com ↗Patch: poppler.freedesktop.org ↗Patch: securitytracker.com ↗

🔴Vulnerability Details

GHSA

GHSA-6fmp-2mpq-35v4: Integer overflow in the ObjectStream::ObjectStream function in XRef↗2022-05-03

▶

OSV

CVE-2009-3608: Integer overflow in the ObjectStream::ObjectStream function in XRef↗2009-10-21

▶

CVEList

CVE-2009-3608: Integer overflow in the ObjectStream::ObjectStream function in XRef↗2009-10-21

▶

📋Vendor Advisories

Ubuntu

KOffice vulnerabilities↗2010-08-17

▶

Ubuntu

poppler vulnerabilities↗2009-11-02

▶

Ubuntu

poppler vulnerabilities↗2009-10-21

▶

Red Hat

xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016)↗2009-10-14

▶

Debian

CVE-2009-3608: poppler - Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3...↗2009

▶

💬Community

Bugzilla

CVE-2009-0791 CVE-2009-360{3,4,6,7,8,9} Multiple poppler vulnerabilities↗2009-10-25

▶