TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Several vulnerabilities were reported in Xpdf. A remote user can cause arbitrary code to be executed on the target user's system. |
| PLATFORM: | Xpdf 3.0 pl3 and all previous editions |
| ABSTRACT: | A remote user can create a specially crafted PDF file that, when loaded by the target user, will trigger an integer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-252.shtml |
| OTHER LINKS: |
Security Focus http://www.securityfocus.com/bid/36703/info Security Tracker http://securitytracker.com/alerts/2009/Oct/1023029.html |
| CVE: |
CVE-2009-3603 CVE-2009-3604 CVE-2009-3606 CVE-2009-3608 CVE-2009-3609 |
| IMPACT ASSESSMENT: | This risk is medium. A remote user can create a PDF file that, when loaded by the target user, will execute arbitrary code on the target user's system. |
[***** Start CVE-2009-3603, CVE-2009-3604, CVE-2009-3606, CVE-2009-3608, & CVE-2009-3609 *****] Discussion: Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in Xpdf. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. The following proof of concept is available: http://www.securityfocus.com/data/vulnerabilities/exploits/36703.txt Solution: The vendor has issued a fix (3.02pl4), available at: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch [***** End CVE-2009-3603, CVE-2009-3604, CVE-2009-3606, CVE-2009-3608, & CVE-2009-3609 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov