CVE-2009-3606: Buffer Overflow
Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.
Other sources
xpdf's PSOutputDev::doImageL1Sep contains an integer overflow in the lineBuf buffer allocation:
4303 // allocate a line buffer 4304 lineBuf = (Guchar )gmalloc(4 width);
width is read from the input PDF file and can integer overflow / wrap when multiplied by 4, resulting in an insufficient memory allocation, leading to heap overflow.
Impact of this flaw is, however, quite limited. This affects PSOutputDev class used to write / convert PDF input to PS (PostScript) output. For GUI viewers, this is done e.g. when trying to print the file. Additionally, this requires non-default Level 1 separable PostScript language level to be used for the output file (specified via e.g. -level1sep command line option for pdftops, or psLevel configuration option in xpdfrc).
— Red Hat
Affected Software
Remediation
Patch Available
Patch Available
Patch Available
Patch Available
Patch Available
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is the severity of CVE-2009-3606?
CVE-2009-3606 has a high severity rating due to the potential for remote attackers to execute arbitrary code.
How do I fix CVE-2009-3606?
To fix CVE-2009-3606, update to the latest version of Xpdf or Poppler that addresses the vulnerability.
Which software is affected by CVE-2009-3606?
CVE-2009-3606 affects Xpdf versions prior to 3.02pl4, Poppler 0.x, and several other related packages.
What types of attacks can CVE-2009-3606 enable?
CVE-2009-3606 can enable remote attackers to exploit a crafted PDF document to perform code execution.
Is there a workaround for CVE-2009-3606?
A direct workaround for CVE-2009-3606 isn't well-documented, but avoiding the use of vulnerable software versions is advisable.