製品・ソフトウェアに関する情報

JVN脆弱性詳細

Xpdf および Poppler の PSOutputDev::doImageL1Sep 関数における整数オーバーフローの脆弱性

タイトル	Xpdf および Poppler の PSOutputDev::doImageL1Sep 関数における整数オーバーフローの脆弱性
概要	Xpdf および Poppler の PSOutputDev::doImageL1Sep 関数には、PDF ドキュメントの処理に不備があるため、整数オーバーフローの脆弱性が存在します。
想定される影響	第三者に任意のコードをされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2009年10月15日0:00
登録日	2009年11月25日12:23
最終更新日	2010年1月20日11:57

CVSS2.0 : 危険
スコア	9.3
ベクター	AV:N/AC:M/Au:N/C:C/I:C/A:C

影響を受けるシステム

サン・マイクロシステムズ

OpenSolaris (sparc)

OpenSolaris (x86)

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

レッドハット

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

RHEL Desktop Workstation 5 (client)

RHEL Optional Productivity Applications 5 (server)

RHEL Optional Productivity Applications EUS 5.4.z (server)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

Glyph & Cog, LLC

Xpdf 3.02pl4 未満

freedesktop.org

Poppler 0.12.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3606	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
National Vulnerability Database (NVD)
2	CVE-2009-3606	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3606

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	名前	URL
Asianux Technical Support Network
1	kdegraphics-3.5.5-3.5AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=766
MIRACLE LINUX アップデート情報
2	1805	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1805
Poppler
3	Top Page	http://poppler.freedesktop.org/
Red Hat Security Advisory
4	RHSA-2009:1500	https://rhn.redhat.com/errata/RHSA-2009-1500.html
5	RHSA-2009:1501	https://rhn.redhat.com/errata/RHSA-2009-1501.html
6	RHSA-2009:1502	https://rhn.redhat.com/errata/RHSA-2009-1502.html
Sun Alert Notification
7	274030	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1
Xpdf
8	Top Page	http://www.foolabs.com/xpdf/
レッドハットセキュリティーアップデート
9	RHSA-2009:1500	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1500J.html
10	RHSA-2009:1501	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1501J.html
11	RHSA-2009:1502	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1502J.html

その他

No	名前	URL
ISS X-Force Database
1	53798	http://xforce.iss.net/xforce/xfdb/53798
Secunia Advisory
2	SA37023	http://secunia.com/advisories/37023
3	SA37037	http://secunia.com/advisories/37037
4	SA37042	http://secunia.com/advisories/37042
5	SA37053	http://secunia.com/advisories/37053
6	SA37077	http://secunia.com/advisories/37077
SecurityFocus
7	36703	http://www.securityfocus.com/bid/36703
SecurityTracker
8	1023029	http://securitytracker.com/id?1023029
VUPEN Security
9	VUPEN/ADV-2009-2924	http://www.vupen.com/english/advisories/2009/2924
10	VUPEN/ADV-2009-2928	http://www.vupen.com/english/advisories/2009/2928

変更履歴

No	変更内容	変更日
0	[2009年11月25日] 掲載 [2010年01月20日] 影響を受けるシステム：サン・マイクロシステムズ (274030) の情報を追加ベンダ情報：サン・マイクロシステムズ (274030) を追加	2018年2月17日10:37

NVD脆弱性情報

CVE-2009-3606

概要	Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.
公表日	2009年10月22日2:30
登録日	2021年1月29日13:24
最終更新日	2023年2月13日11:20

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
cpe:2.3:a:poppler:poppler:0.12.0:::::::*
実行環境
1	cpe:2.3:a:kde:kpdf::::::::

関連情報、対策とツール

No	URL	refsource	タグ
1	http://secunia.com/advisories/37042	SECUNIA	Vendor Advisory
2	http://secunia.com/advisories/37043	SECUNIA	Vendor Advisory
3	http://securitytracker.com/id?1023029	SECTRACK	Patch
4	http://www.securityfocus.com/bid/36703	BID	Exploit Patch
5	http://secunia.com/advisories/37053	SECUNIA	Vendor Advisory
6	http://secunia.com/advisories/37023	SECUNIA	Vendor Advisory
7	ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch	CONFIRM	Patch
8	https://rhn.redhat.com/errata/RHSA-2009-1500.html	REDHAT
9	http://secunia.com/advisories/37077	SECUNIA	Vendor Advisory
10	https://rhn.redhat.com/errata/RHSA-2009-1501.html	REDHAT	Vendor Advisory
11	https://bugzilla.redhat.com/show_bug.cgi?id=526877	CONFIRM
12	https://rhn.redhat.com/errata/RHSA-2009-1502.html	REDHAT
13	http://cgit.freedesktop.org/poppler/poppler/diff/poppler/PSOutputDev.cc?id=7b2d314a61	CONFIRM
14	http://secunia.com/advisories/37037	SECUNIA	Vendor Advisory
15	http://www.vupen.com/english/advisories/2009/2928	VUPEN	Patch Vendor Advisory
16	http://www.vupen.com/english/advisories/2009/2924	VUPEN	Patch Vendor Advisory
17	http://www.mandriva.com/security/advisories?name=MDVSA-2009:287	MANDRIVA
18	http://secunia.com/advisories/37159	SECUNIA
19	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html	FEDORA
20	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html	FEDORA
21	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html	SUSE
22	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1	SUNALERT
23	http://www.openwall.com/lists/oss-security/2009/12/01/6	MLIST
24	http://www.openwall.com/lists/oss-security/2009/12/01/5	MLIST
25	http://www.debian.org/security/2009/dsa-1941	DEBIAN
26	http://www.openwall.com/lists/oss-security/2009/12/01/1	MLIST
27	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html	FEDORA
28	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html	FEDORA
29	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html	FEDORA
30	http://www.vupen.com/english/advisories/2010/0802	VUPEN
31	http://www.debian.org/security/2010/dsa-2028	DEBIAN
32	http://secunia.com/advisories/39327	SECUNIA
33	http://www.vupen.com/english/advisories/2010/1040	VUPEN
34	http://www.mandriva.com/security/advisories?name=MDVSA-2010:087	MANDRIVA
35	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1	SUNALERT
36	http://www.vupen.com/english/advisories/2010/1220	VUPEN
37	http://secunia.com/advisories/39938	SECUNIA
38	http://www.debian.org/security/2010/dsa-2050	DEBIAN
39	http://www.mandriva.com/security/advisories?name=MDVSA-2011:175	MANDRIVA
40	https://exchange.xforce.ibmcloud.com/vulnerabilities/53798	XF
41	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7836	OVAL
42	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11289	OVAL

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

構成1		以上	以下	より上	未満
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
cpe:2.3:a:poppler:poppler:0.12.0:::::::*
実行環境
1	cpe:2.3:a:kde:kpdf::::::::