製品・ソフトウェアに関する情報

JVN脆弱性詳細

Xpdf および Poppler の PSOutputDev::doImageL1Sep 関数における整数オーバーフローの脆弱性

Title	Xpdf および Poppler の PSOutputDev::doImageL1Sep 関数における整数オーバーフローの脆弱性
Summary	Xpdf および Poppler の PSOutputDev::doImageL1Sep 関数には、PDF ドキュメントの処理に不備があるため、整数オーバーフローの脆弱性が存在します。
Possible impacts	第三者に任意のコードをされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 15, 2009, midnight
Registration Date	Nov. 25, 2009, 12:23 p.m.
Last Update	Jan. 20, 2010, 11:57 a.m.

CVSS2.0 : 危険
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected System

サン・マイクロシステムズ

OpenSolaris (sparc)

OpenSolaris (x86)

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

レッドハット

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

RHEL Desktop Workstation 5 (client)

RHEL Optional Productivity Applications 5 (server)

RHEL Optional Productivity Applications EUS 5.4.z (server)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

Glyph & Cog, LLC

Xpdf 3.02pl4 未満

freedesktop.org

Poppler 0.12.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3606	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
National Vulnerability Database (NVD)
2	CVE-2009-3606	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3606

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Asianux Technical Support Network
1	kdegraphics-3.5.5-3.5AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=766
MIRACLE LINUX アップデート情報
2	1805	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1805
Poppler
3	Top Page	http://poppler.freedesktop.org/
Red Hat Security Advisory
4	RHSA-2009:1500	https://rhn.redhat.com/errata/RHSA-2009-1500.html
5	RHSA-2009:1501	https://rhn.redhat.com/errata/RHSA-2009-1501.html
6	RHSA-2009:1502	https://rhn.redhat.com/errata/RHSA-2009-1502.html
Sun Alert Notification
7	274030	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1
Xpdf
8	Top Page	http://www.foolabs.com/xpdf/
レッドハットセキュリティーアップデート
9	RHSA-2009:1500	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1500J.html
10	RHSA-2009:1501	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1501J.html
11	RHSA-2009:1502	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1502J.html

その他

No	Name	URL
ISS X-Force Database
1	53798	http://xforce.iss.net/xforce/xfdb/53798
Secunia Advisory
2	SA37023	http://secunia.com/advisories/37023
3	SA37037	http://secunia.com/advisories/37037
4	SA37042	http://secunia.com/advisories/37042
5	SA37053	http://secunia.com/advisories/37053
6	SA37077	http://secunia.com/advisories/37077
SecurityFocus
7	36703	http://www.securityfocus.com/bid/36703
SecurityTracker
8	1023029	http://securitytracker.com/id?1023029
VUPEN Security
9	VUPEN/ADV-2009-2924	http://www.vupen.com/english/advisories/2009/2924
10	VUPEN/ADV-2009-2928	http://www.vupen.com/english/advisories/2009/2928

Change Log

No	Changed Details	Date of change
0	[2009年11月25日] 掲載 [2010年01月20日] 影響を受けるシステム：サン・マイクロシステムズ (274030) の情報を追加ベンダ情報：サン・マイクロシステムズ (274030) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-3606

Summary	Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.
Publication Date	Oct. 22, 2009, 2:30 a.m.
Registration Date	Jan. 29, 2021, 1:24 p.m.
Last Update	Feb. 13, 2023, 11:20 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
cpe:2.3:a:poppler:poppler:0.12.0:::::::*
execution environment
1	cpe:2.3:a:kde:kpdf::::::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://secunia.com/advisories/37042	SECUNIA	Vendor Advisory
2	http://secunia.com/advisories/37043	SECUNIA	Vendor Advisory
3	http://securitytracker.com/id?1023029	SECTRACK	Patch
4	http://www.securityfocus.com/bid/36703	BID	Exploit Patch
5	http://secunia.com/advisories/37053	SECUNIA	Vendor Advisory
6	http://secunia.com/advisories/37023	SECUNIA	Vendor Advisory
7	ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch	CONFIRM	Patch
8	https://rhn.redhat.com/errata/RHSA-2009-1500.html	REDHAT
9	http://secunia.com/advisories/37077	SECUNIA	Vendor Advisory
10	https://rhn.redhat.com/errata/RHSA-2009-1501.html	REDHAT	Vendor Advisory
11	https://bugzilla.redhat.com/show_bug.cgi?id=526877	CONFIRM
12	https://rhn.redhat.com/errata/RHSA-2009-1502.html	REDHAT
13	http://cgit.freedesktop.org/poppler/poppler/diff/poppler/PSOutputDev.cc?id=7b2d314a61	CONFIRM
14	http://secunia.com/advisories/37037	SECUNIA	Vendor Advisory
15	http://www.vupen.com/english/advisories/2009/2928	VUPEN	Patch Vendor Advisory
16	http://www.vupen.com/english/advisories/2009/2924	VUPEN	Patch Vendor Advisory
17	http://www.mandriva.com/security/advisories?name=MDVSA-2009:287	MANDRIVA
18	http://secunia.com/advisories/37159	SECUNIA
19	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html	FEDORA
20	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html	FEDORA
21	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html	SUSE
22	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1	SUNALERT
23	http://www.openwall.com/lists/oss-security/2009/12/01/6	MLIST
24	http://www.openwall.com/lists/oss-security/2009/12/01/5	MLIST
25	http://www.debian.org/security/2009/dsa-1941	DEBIAN
26	http://www.openwall.com/lists/oss-security/2009/12/01/1	MLIST
27	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html	FEDORA
28	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html	FEDORA
29	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html	FEDORA
30	http://www.vupen.com/english/advisories/2010/0802	VUPEN
31	http://www.debian.org/security/2010/dsa-2028	DEBIAN
32	http://secunia.com/advisories/39327	SECUNIA
33	http://www.vupen.com/english/advisories/2010/1040	VUPEN
34	http://www.mandriva.com/security/advisories?name=MDVSA-2010:087	MANDRIVA
35	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1	SUNALERT
36	http://www.vupen.com/english/advisories/2010/1220	VUPEN
37	http://secunia.com/advisories/39938	SECUNIA
38	http://www.debian.org/security/2010/dsa-2050	DEBIAN
39	http://www.mandriva.com/security/advisories?name=MDVSA-2011:175	MANDRIVA
40	https://exchange.xforce.ibmcloud.com/vulnerabilities/53798	XF
41	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7836	OVAL
42	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11289	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
cpe:2.3:a:poppler:poppler:0.12.0:::::::*
execution environment
1	cpe:2.3:a:kde:kpdf::::::::