CVE-2009-4035 - The FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf 2.8.2, kpdf in kdegraphics 3.

CVE-2009-4035

Summary

The FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf 2.8.2, kpdf in kdegraphics 3.3.1, and possibly other libraries and versions, does not check the return value of the getNextLine function, which allows context-dependent attackers to execute arbitrary code via a PDF file with a crafted Type 1 font that can produce a negative value, leading to a signed-to-unsigned integer conversion error and a buffer overflow.

References

Vulnerable Configurations

cpe:2.3:a:gnome:gpdf:2.8.2:*:*:*:*:*:*:*
cpe:2.3:a:gnome:gpdf:2.8.2:*:*:*:*:*:*:*
cpe:2.3:a:kde:kdegraphics:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:kde:kdegraphics:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:kde:kpdf:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:kde:kpdf:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:xpdf:xpdf:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:xpdf:xpdf:3.0.0:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:

CWE

CWE-94

CAPEC

Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

oval via4

accepted

2013-04-29T04:10:34.427-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

family

unix

oval:org.mitre.oval:def:10996

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	541614
title	CVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025
comment xpdf is earlier than 1:3.00-23.el4_8.1
oval oval:com.redhat.rhsa:tst:20091680001
comment xpdf is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060201002

rhsa

id	RHSA-2009:1680
released	2009-12-16
severity	Important
title	RHSA-2009:1680: xpdf security update (Important)

bugzilla

id	541614
title	CVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025
comment gpdf is earlier than 0:2.8.2-7.7.2.el4_8.6
oval oval:com.redhat.rhsa:tst:20091681001
comment gpdf is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060177002

rhsa

id	RHSA-2009:1681
released	2009-12-16
severity	Important
title	RHSA-2009:1681: gpdf security update (Important)

bugzilla

id	541614
title	CVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment kdegraphics is earlier than 7:3.3.1-17.el4_8.1
oval oval:com.redhat.rhsa:tst:20091682001
comment kdegraphics is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060206002

AND

comment kdegraphics-devel is earlier than 7:3.3.1-17.el4_8.1
oval oval:com.redhat.rhsa:tst:20091682003
comment kdegraphics-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060206004

rhsa

id	RHSA-2009:1682
released	2009-12-16
severity	Important
title	RHSA-2009:1682: kdegraphics security update (Important)

rpms

xpdf-1:3.00-23.el4_8.1
xpdf-debuginfo-1:3.00-23.el4_8.1
gpdf-0:2.8.2-7.7.2.el4_8.6
gpdf-debuginfo-0:2.8.2-7.7.2.el4_8.6
kdegraphics-7:3.3.1-17.el4_8.1
kdegraphics-debuginfo-7:3.3.1-17.el4_8.1
kdegraphics-devel-7:3.3.1-17.el4_8.1

refmap via4

bid	37350
confirm	http://cgit.freedesktop.org/poppler/poppler/diff/fofi/FoFiType1.cc?id=4b4fc5c0 https://bugzilla.redhat.com/show_bug.cgi?id=541614
misc	http://cgit.freedesktop.org/poppler/poppler/tree/fofi/FoFiType1.cc?id=4b4fc5c017bf147c9069bbce32fc14467bd2a81a
sectrack	1023356
secunia	37641 37781 37787 37793
suse	SUSE-SR:2010:003
vupen	ADV-2009-3555
xf	xpdf-fofitype1parse-bo(54831)

Last major update

19-09-2017 - 01:29

Published

21-12-2009 - 21:30

Last modified

19-09-2017 - 01:29