National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-3607 Detail

Description

Integer overflow in the create_surface_from_thumbnail_data function in glib/poppler-page.cc in Poppler 0.x allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.

Source:  MITRE      Last Modified:  10/21/2009

Quick Info

CVE Dictionary Entry:
CVE-2009-3607
Original release date:
10/21/2009
Last revised:
08/16/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
9.3 HIGH
Vector:
(AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore:
10.0
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector:
Network exploitable - Victim must voluntarily interact with attack mechanism
Access Complexity:
Medium
Authentication:
Not required to exploit
Impact Type:
Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (10/23/2009)

Not vulnerable. This issue did not affect the version of poppler as shipped with Red Hat Enterprise Linux 5.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b706 External Source CONFIRM http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b706
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1 External Source SUNALERT 274030
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1 External Source SUNALERT 1021706
http://www.debian.org/security/2009/dsa-1941 External Source DEBIAN DSA-1941
http://www.mandriva.com/security/advisories?name=MDVSA-2011:175 External Source MANDRIVA MDVSA-2011:175
http://www.openwall.com/lists/oss-security/2009/12/01/1 External Source MLIST [oss-security] 20091130 Need more information on recent poppler issues
http://www.openwall.com/lists/oss-security/2009/12/01/5 External Source MLIST [oss-security] 20091130 Re: Need more information on recent poppler issues
http://www.openwall.com/lists/oss-security/2009/12/01/6 External Source MLIST [oss-security] 20091201 Re: Need more information on recent poppler issues
http://www.securityfocus.com/bid/36718 External Source BID 36718
http://www.ubuntu.com/usn/USN-850-1 External Source UBUNTU USN-850-1
http://www.ubuntu.com/usn/USN-850-3 External Source UBUNTU USN-850-3
http://www.vupen.com/english/advisories/2009/2925 Vendor Advisory External Source VUPEN ADV-2009-2925
https://bugzilla.redhat.com/show_bug.cgi?id=526924 External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=526924
https://exchange.xforce.ibmcloud.com/vulnerabilities/53801 External Source XF poppler-createsurfacefromthumbnaildata-bo(53801)
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html External Source FEDORA FEDORA-2009-10823
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html External Source FEDORA FEDORA-2009-10845

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:poppler:poppler:0.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.1.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.3.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.4.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.9:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.90:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.5.91:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.6.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.7.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.5:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.6:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.8.7:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.4:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.5:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.6:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.10.7:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.2:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.11.3:*:*:*:*:*:*:*
cpe:2.3:a:poppler:poppler:0.12.0:*:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 2 change records found - show changes