製品・ソフトウェアに関する情報

JVN脆弱性詳細

Xpdf および Poppler の ImageStream::ImageStream 関数における整数オーバーフローの脆弱性

Title	Xpdf および Poppler の ImageStream::ImageStream 関数における整数オーバーフローの脆弱性
Summary	Xpdf および Poppler の ImageStream::ImageStream 関数には、PDF ドキュメントの処理に不備があるため、整数オーバーフローの脆弱性が存在します。
Possible impacts	第三者にサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 15, 2009, midnight
Registration Date	Nov. 25, 2009, 12:24 p.m.
Last Update	Oct. 22, 2010, 2:38 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:N/A:P

Affected System

サン・マイクロシステムズ

OpenSolaris (sparc)

OpenSolaris (x86)

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

レッドハット

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.4.z (server)

RHEL Desktop Workstation 5 (client)

RHEL Optional Productivity Applications 5 (server)

RHEL Optional Productivity Applications EUS 5.4.z (server)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

Glyph & Cog, LLC

Xpdf 3.02pl4 未満

freedesktop.org

Poppler 0.12.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3609	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
National Vulnerability Database (NVD)
2	CVE-2009-3609	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3609

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Asianux Technical Support Network
1	cups-1.3.7-11.3.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=762
2	kdegraphics-3.5.5-3.5AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=766
3	poppler-0.5.4-4.4.11.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=764
4	tetex-3.0-33.8.5.0.1.AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=1040
MIRACLE LINUX アップデート情報
5	1805	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1805
6	2059	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=2059
7	2136	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=2136
Poppler
8	Top Page	http://poppler.freedesktop.org/
Red Hat Security Advisory
9	RHSA-2009:1500	https://rhn.redhat.com/errata/RHSA-2009-1500.html
10	RHSA-2009:1501	https://rhn.redhat.com/errata/RHSA-2009-1501.html
11	RHSA-2009:1502	https://rhn.redhat.com/errata/RHSA-2009-1502.html
12	RHSA-2009:1503	https://rhn.redhat.com/errata/RHSA-2009-1503.html
13	RHSA-2009:1504	https://rhn.redhat.com/errata/RHSA-2009-1504.html
14	RHSA-2009:1512	https://rhn.redhat.com/errata/RHSA-2009-1512.html
15	RHSA-2009:1513	https://rhn.redhat.com/errata/RHSA-2009-1513.html
16	RHSA-2010:0399	https://rhn.redhat.com/errata/RHSA-2010-0399.html
17	RHSA-2010:0400	https://rhn.redhat.com/errata/RHSA-2010-0400.html
18	RHSA-2010:0401	https://rhn.redhat.com/errata/RHSA-2010-0401.html
19	RHSA-2010:0755	https://rhn.redhat.com/errata/RHSA-2010-0755.html
Sun Alert Notification
20	274030	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1
Xpdf
21	Top Page	http://www.foolabs.com/xpdf/
レッドハットセキュリティーアップデート
22	RHSA-2009:1500	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1500J.html
23	RHSA-2009:1501	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1501J.html
24	RHSA-2009:1502	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1502J.html
25	RHSA-2009:1503	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1503J.html
26	RHSA-2009:1504	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1504J.html
27	RHSA-2009:1512	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1512J.html
28	RHSA-2009:1513	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1513J.html

その他

No	Name	URL
ISS X-Force Database
1	53800	http://xforce.iss.net/xforce/xfdb/53800
Secunia Advisory
2	SA37023	http://secunia.com/advisories/37023
3	SA37028	http://secunia.com/advisories/37028
4	SA37034	http://secunia.com/advisories/37034
5	SA37037	http://secunia.com/advisories/37037
6	SA37043	http://secunia.com/advisories/37043
7	SA37051	http://secunia.com/advisories/37051
8	SA37053	http://secunia.com/advisories/37053
9	SA37054	http://secunia.com/advisories/37054
10	SA37061	http://secunia.com/advisories/37061
11	SA37077	http://secunia.com/advisories/37077
12	SA37079	http://secunia.com/advisories/37079
SecurityFocus
13	36703	http://www.securityfocus.com/bid/36703
SecurityTracker
14	1023029	http://securitytracker.com/id?1023029
VUPEN Security
15	VUPEN/ADV-2009-2924	http://www.vupen.com/english/advisories/2009/2924
16	VUPEN/ADV-2009-2925	http://www.vupen.com/english/advisories/2009/2925
17	VUPEN/ADV-2009-2926	http://www.vupen.com/english/advisories/2009/2926
18	VUPEN/ADV-2009-2928	http://www.vupen.com/english/advisories/2009/2928

Change Log

No	Changed Details	Date of change
0	[2009年11月25日] 掲載 [2010年01月20日] 影響を受けるシステム：サン・マイクロシステムズ (274030) の情報を追加ベンダ情報：サン・マイクロシステムズ (274030) を追加 [2010年05月26日] ベンダ情報：ミラクル・リナックス (tetex-3.0-33.8.5.0.1.AXS3) を追加ベンダ情報：ミラクル・リナックス (2059) を追加ベンダ情報：レッドハット (RHSA-2010:0399) を追加ベンダ情報：レッドハット (RHSA-2010:0400) を追加ベンダ情報：レッドハット (RHSA-2010:0401) を追加 [2010年10月22日] ベンダ情報：ミラクル・リナックス (2136) を追加ベンダ情報：レッドハット (RHSA-2010:0755) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-3609

Summary	Integer overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read.
Publication Date	Oct. 22, 2009, 2:30 a.m.
Registration Date	Jan. 29, 2021, 1:24 p.m.
Last Update	Feb. 13, 2023, 11:20 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler::::::::			0.12.0
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
execution environment
1	cpe:2.3:a:glyph_and_cog:pdftops::::::::
2	cpe:2.3:a:gnome:gpdf::::::::
3	cpe:2.3:a:kde:kpdf::::::::

Related information, measures and tools

No	URL	refsource	タグ
1	https://rhn.redhat.com/errata/RHSA-2009-1504.html	REDHAT
2	ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch	CONFIRM	Exploit
3	https://bugzilla.redhat.com/show_bug.cgi?id=526893	CONFIRM	Exploit Patch
4	http://www.vupen.com/english/advisories/2009/2924	VUPEN	Patch Vendor Advisory
5	http://www.securityfocus.com/bid/36703	BID	Exploit Patch
6	http://secunia.com/advisories/37051	SECUNIA	Vendor Advisory
7	https://rhn.redhat.com/errata/RHSA-2009-1500.html	REDHAT
8	http://secunia.com/advisories/37077	SECUNIA	Vendor Advisory
9	http://secunia.com/advisories/37054	SECUNIA	Vendor Advisory
10	http://securitytracker.com/id?1023029	SECTRACK
11	http://www.vupen.com/english/advisories/2009/2928	VUPEN	Vendor Advisory
12	http://secunia.com/advisories/37043	SECUNIA	Vendor Advisory
13	https://rhn.redhat.com/errata/RHSA-2009-1513.html	REDHAT
14	http://www.vupen.com/english/advisories/2009/2926	VUPEN	Vendor Advisory
15	http://secunia.com/advisories/37037	SECUNIA	Vendor Advisory
16	http://www.vupen.com/english/advisories/2009/2925	VUPEN	Vendor Advisory
17	http://secunia.com/advisories/37028	SECUNIA	Vendor Advisory
18	https://rhn.redhat.com/errata/RHSA-2009-1512.html	REDHAT
19	https://rhn.redhat.com/errata/RHSA-2009-1501.html	REDHAT
20	https://rhn.redhat.com/errata/RHSA-2009-1503.html	REDHAT
21	http://secunia.com/advisories/37034	SECUNIA	Vendor Advisory
22	http://secunia.com/advisories/37061	SECUNIA	Vendor Advisory
23	https://rhn.redhat.com/errata/RHSA-2009-1502.html	REDHAT
24	http://secunia.com/advisories/37023	SECUNIA	Vendor Advisory
25	http://poppler.freedesktop.org/	CONFIRM	Patch Vendor Advisory
26	http://secunia.com/advisories/37079	SECUNIA	Vendor Advisory
27	http://www.mandriva.com/security/advisories?name=MDVSA-2009:287	MANDRIVA
28	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html	FEDORA
29	http://secunia.com/advisories/37159	SECUNIA
30	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html	FEDORA
31	http://secunia.com/advisories/37114	SECUNIA
32	http://www.ubuntu.com/usn/USN-850-1	UBUNTU
33	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html	SUSE
34	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1	SUNALERT
35	http://www.ubuntu.com/usn/USN-850-3	UBUNTU
36	http://www.mandriva.com/security/advisories?name=MDVSA-2009:334	MANDRIVA
37	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html	FEDORA
38	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html	FEDORA
39	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html	FEDORA
40	http://www.vupen.com/english/advisories/2010/0802	VUPEN
41	http://secunia.com/advisories/39327	SECUNIA
42	http://www.debian.org/security/2010/dsa-2028	DEBIAN
43	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1	SUNALERT
44	http://www.vupen.com/english/advisories/2010/1220	VUPEN
45	http://secunia.com/advisories/39938	SECUNIA
46	http://www.debian.org/security/2010/dsa-2050	DEBIAN
47	http://www.redhat.com/support/errata/RHSA-2010-0755.html	REDHAT
48	http://www.mandriva.com/security/advisories?name=MDVSA-2011:175	MANDRIVA
49	https://exchange.xforce.ibmcloud.com/vulnerabilities/53800	XF
50	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8134	OVAL
51	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11043	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler::::::::			0.12.0
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
execution environment
1	cpe:2.3:a:glyph_and_cog:pdftops::::::::
2	cpe:2.3:a:gnome:gpdf::::::::
3	cpe:2.3:a:kde:kpdf::::::::