Vulnerabilities > CVE-2009-4035 - Code Injection vulnerability in multiple products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
gnome
kde
xpdf
CWE-94
critical
nessus
NVD
Published: 2009-12-21
Updated: 2017-09-19

Summary

The FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf 2.8.2, kpdf in kdegraphics 3.3.1, and possibly other libraries and versions, does not check the return value of the getNextLine function, which allows context-dependent attackers to execute arbitrary code via a PDF file with a crafted Type 1 font that can produce a negative value, leading to a signed-to-unsigned integer conversion error and a buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Gnome
1
Application
Kde
2
Application
Xpdf
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1681.NASL
    descriptionAn updated gpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. GPdf is a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in GPdf
    last seen2020-06-01
    modified2020-06-02
    plugin id43358
    published2009-12-21
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43358
    titleCentOS 4 : gpdf (CESA-2009:1681)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_LIBPOPPLER-DEVEL-100111.NASL
    descriptionThis update of libpoppler5 fixes various security issues. CVE-2009-0791: Fix multiple integer overflows in
    last seen2020-06-01
    modified2020-06-02
    plugin id43856
    published2010-01-12
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43856
    titleopenSUSE Security Update : libpoppler-devel (libpoppler-devel-1735)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_POPPLER-6751.NASL
    descriptionThis update of poppler fixes two security issues : - Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. (CVE-2009-3608) - A indexing error in FoFiType1::parse() was fixed that could be used by attackers to corrupt memory and potentially execute code. (CVE-2009-4035)
    last seen2020-06-01
    modified2020-06-02
    plugin id43621
    published2010-01-03
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43621
    titleSuSE 10 Security Update : poppler (ZYPP Patch Number 6751)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_LIBPOPPLER-DEVEL-091221.NASL
    descriptionThis update of libpoppler4 fixes various security issues. - Fix multiple integer overflows in
    last seen2020-06-01
    modified2020-06-02
    plugin id43620
    published2010-01-03
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43620
    titleSuSE 11 Security Update : libpoppler (SAT Patch Number 1731)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1682.NASL
    descriptionUpdated kdegraphics packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in KPDF
    last seen2020-06-01
    modified2020-06-02
    plugin id43180
    published2009-12-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43180
    titleRHEL 4 : kdegraphics (RHSA-2009:1682)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_POPPLER-6743.NASL
    descriptionThis update of poppler fixes two security issues : - Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. (CVE-2009-3608) - A indexing error in FoFiType1::parse() was fixed that could be used by attackers to corrupt memory and potentially execute code. (CVE-2009-4035)
    last seen2020-06-01
    modified2020-06-02
    plugin id49916
    published2010-10-11
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49916
    titleSuSE 10 Security Update : poppler (ZYPP Patch Number 6743)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_LIBPOPPLER-DEVEL-091223.NASL
    descriptionThis update of libpoppler3 fixes various security issues. CVE-2009-0791: Fix multiple integer overflows in
    last seen2020-06-01
    modified2020-06-02
    plugin id43616
    published2010-01-03
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43616
    titleopenSUSE Security Update : libpoppler-devel (libpoppler-devel-1740)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1680.NASL
    descriptionAn updated xpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in Xpdf
    last seen2020-06-01
    modified2020-06-02
    plugin id43178
    published2009-12-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43178
    titleRHEL 4 : xpdf (RHSA-2009:1680)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1680.NASL
    descriptionFrom Red Hat Security Advisory 2009:1680 : An updated xpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in Xpdf
    last seen2020-06-01
    modified2020-06-02
    plugin id67976
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67976
    titleOracle Linux 4 : xpdf (ELSA-2009-1680)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201402-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201402-17 (Xpdf: User-assisted execution of arbitrary code) Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id72549
    published2014-02-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72549
    titleGLSA-201402-17 : Xpdf: User-assisted execution of arbitrary code
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1680.NASL
    descriptionAn updated xpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in Xpdf
    last seen2020-06-01
    modified2020-06-02
    plugin id43357
    published2009-12-21
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43357
    titleCentOS 4 : xpdf (CESA-2009:1680)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1681.NASL
    descriptionAn updated gpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. GPdf is a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in GPdf
    last seen2020-06-01
    modified2020-06-02
    plugin id43179
    published2009-12-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43179
    titleRHEL 4 : gpdf (RHSA-2009:1681)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1681.NASL
    descriptionFrom Red Hat Security Advisory 2009:1681 : An updated gpdf package that fixes a security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. GPdf is a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in GPdf
    last seen2020-06-01
    modified2020-06-02
    plugin id67977
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67977
    titleOracle Linux 4 : gpdf (ELSA-2009-1681)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1682.NASL
    descriptionUpdated kdegraphics packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in KPDF
    last seen2020-06-01
    modified2020-06-02
    plugin id43359
    published2009-12-21
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43359
    titleCentOS 4 : kdegraphics (CESA-2009:1682)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_LIBPOPPLER-DEVEL-091222.NASL
    descriptionThis update of poppler fixes several security issues : This update of libpoppler4 fixes various security issues. CVE-2009-0791: Fix multiple integer overflows in
    last seen2020-06-01
    modified2020-06-02
    plugin id43617
    published2010-01-03
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43617
    titleopenSUSE Security Update : libpoppler-devel (libpoppler-devel-1741)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091216_XPDF_ON_SL4_X.NASL
    descriptionPetr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in Xpdf
    last seen2020-06-01
    modified2020-06-02
    plugin id60712
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60712
    titleScientific Linux Security Update : xpdf on SL4.x i386/x86_64
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091216_GPDF_ON_SL4_X.NASL
    descriptionPetr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in GPdf
    last seen2020-06-01
    modified2020-06-02
    plugin id60710
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60710
    titleScientific Linux Security Update : gpdf on SL4.x i386/x86_64
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1682.NASL
    descriptionFrom Red Hat Security Advisory 2009:1682 : Updated kdegraphics packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in KPDF
    last seen2020-06-01
    modified2020-06-02
    plugin id67978
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67978
    titleOracle Linux 4 : kdegraphics (ELSA-2009-1682)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_LIBPOPPLER-DEVEL-091222.NASL
    descriptionThis update of libpoppler5 fixes various security issues. CVE-2009-0791: Fix multiple integer overflows in
    last seen2020-06-01
    modified2020-06-02
    plugin id43618
    published2010-01-03
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43618
    titleSuSE 11.2 Security Update: libpoppler-devel (2009-12-22)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091216_KDEGRAPHICS_ON_SL4_X.NASL
    descriptionPetr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in KPDF
    last seen2020-06-01
    modified2020-06-02
    plugin id60711
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60711
    titleScientific Linux Security Update : kdegraphics on SL4.x i386/x86_64

Oval

accepted2013-04-29T04:10:34.427-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionThe FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf 2.8.2, kpdf in kdegraphics 3.3.1, and possibly other libraries and versions, does not check the return value of the getNextLine function, which allows context-dependent attackers to execute arbitrary code via a PDF file with a crafted Type 1 font that can produce a negative value, leading to a signed-to-unsigned integer conversion error and a buffer overflow.
familyunix
idoval:org.mitre.oval:def:10996
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf 2.8.2, kpdf in kdegraphics 3.3.1, and possibly other libraries and versions, does not check the return value of the getNextLine function, which allows context-dependent attackers to execute arbitrary code via a PDF file with a crafted Type 1 font that can produce a negative value, leading to a signed-to-unsigned integer conversion error and a buffer overflow.
version26

Redhat

advisories
  • bugzilla
    id541614
    titleCVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • commentxpdf is earlier than 1:3.00-23.el4_8.1
        ovaloval:com.redhat.rhsa:tst:20091680001
      • commentxpdf is signed with Red Hat master key
        ovaloval:com.redhat.rhsa:tst:20060201002
    rhsa
    idRHSA-2009:1680
    released2009-12-16
    severityImportant
    titleRHSA-2009:1680: xpdf security update (Important)
  • bugzilla
    id541614
    titleCVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • commentgpdf is earlier than 0:2.8.2-7.7.2.el4_8.6
        ovaloval:com.redhat.rhsa:tst:20091681001
      • commentgpdf is signed with Red Hat master key
        ovaloval:com.redhat.rhsa:tst:20060177002
    rhsa
    idRHSA-2009:1681
    released2009-12-16
    severityImportant
    titleRHSA-2009:1681: gpdf security update (Important)
  • bugzilla
    id541614
    titleCVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentkdegraphics is earlier than 7:3.3.1-17.el4_8.1
            ovaloval:com.redhat.rhsa:tst:20091682001
          • commentkdegraphics is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060206004
        • AND
          • commentkdegraphics-devel is earlier than 7:3.3.1-17.el4_8.1
            ovaloval:com.redhat.rhsa:tst:20091682003
          • commentkdegraphics-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060206002
    rhsa
    idRHSA-2009:1682
    released2009-12-16
    severityImportant
    titleRHSA-2009:1682: kdegraphics security update (Important)
rpms
  • xpdf-1:3.00-23.el4_8.1
  • xpdf-debuginfo-1:3.00-23.el4_8.1
  • gpdf-0:2.8.2-7.7.2.el4_8.6
  • gpdf-debuginfo-0:2.8.2-7.7.2.el4_8.6
  • kdegraphics-7:3.3.1-17.el4_8.1
  • kdegraphics-debuginfo-7:3.3.1-17.el4_8.1
  • kdegraphics-devel-7:3.3.1-17.el4_8.1

References