National Vulnerability Database (NVD) National Vulnerability Database (CVE-2005-3625)

National Cyber-Alert System

Vulnerability Summary for CVE-2005-3625

Original release date:12/31/2005

Last revised:09/05/2008

Source: US-CERT/NIST

Overview

Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to cause a denial of service (infinite loop) via streams that end prematurely, as demonstrated using the (1) CCITTFaxDecode and (2) DCTDecode streams, aka "Infinite CPU spins."

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Vendor Statments (disclaimer)

Official Statement from Red Hat (03/14/2007): Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: UBUNTU

Name: USN-236-1

Type: Patch Information

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-236-1

External Source: BID

Name: 16143

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/16143

External Source: REDHAT

Name: RHSA-2006:0160

Type: Advisory; Patch Information

Hyperlink:http://www.redhat.com/support/errata/RHSA-2006-0160.html

External Source: CONFIRM

Name: http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00011.html

Type: Patch Information

Hyperlink:http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00011.html

External Source: CONFIRM

Name: http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00010.html

Type: Patch Information

Hyperlink:http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00010.html

External Source: CONFIRM

Name: http://www.kde.org/info/security/advisory-20051207-2.txt

Type: Advisory; Patch Information

Hyperlink:http://www.kde.org/info/security/advisory-20051207-2.txt

External Source: GENTOO

Name: GLSA-200601-02

Type: Advisory; Patch Information

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200601-02.xml

External Source: VUPEN

Name: ADV-2006-0047

Type: Advisory; Patch Information

Hyperlink:http://www.frsirt.com/english/advisories/2006/0047

External Source: DEBIAN

Name: DSA-961

Type: Advisory; Patch Information

Hyperlink:http://www.debian.org/security/2006/dsa-961

External Source: DEBIAN

Name: DSA-950

Type: Advisory; Patch Information

Hyperlink:http://www.debian.org/security/2006/dsa-950

External Source: DEBIAN

Name: DSA-936

Type: Advisory; Patch Information

Hyperlink:http://www.debian.org/security/2006/dsa-936

External Source: SECUNIA

Name: 18582

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18582

External Source: SECUNIA

Name: 18554

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18554

External Source: SECUNIA

Name: 18534

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18534

External Source: SECUNIA

Name: 18517

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18517

External Source: SECUNIA

Name: 18448

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18448

External Source: SECUNIA

Name: 18423

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18423

External Source: SECUNIA

Name: 18416

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18416

External Source: SECUNIA

Name: 18407

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18407

External Source: SECUNIA

Name: 18398

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18398

External Source: SECUNIA

Name: 18389

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18389

External Source: SECUNIA

Name: 18387

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18387

External Source: SECUNIA

Name: 18385

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18385

External Source: SECUNIA

Name: 18349

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18349

External Source: SECUNIA

Name: 18338

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18338

External Source: SECUNIA

Name: 18335

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18335

External Source: SECUNIA

Name: 18334

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18334

External Source: SECUNIA

Name: 18313

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18313

External Source: SECUNIA

Name: 18312

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18312

External Source: SECUNIA

Name: 18303

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/18303

External Source: REDHAT

Name: RHSA-2006:0177

Type: Advisory; Patch Information

Hyperlink:http://rhn.redhat.com/errata/RHSA-2006-0177.html

External Source: SUSE

Name: SUSE-SA:2006:001

Type: Patch Information

Hyperlink:http://lists.suse.com/archive/suse-security-announce/2006-Jan/0001.html

External Source: MANDRIVA

Name: MDKSA-2006:012

Type: Advisory; Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:012

External Source: MANDRAKE

Name: MDKSA-2006:010

Type: Advisory; Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:010

External Source: MANDRIVA

Name: MDKSA-2006:008

Type: Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:008

External Source: MANDRIVA

Name: MDKSA-2006:006

Type: Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:006

External Source: MANDRIVA

Name: MDKSA-2006:005

Type: Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:005

External Source: MANDRIVA

Name: MDKSA-2006:004

Type: Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:004

External Source: MANDRIVA

Name: MDKSA-2006:003

Type: Patch Information

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:003

External Source: DEBIAN

Name: DSA-940

Hyperlink:http://www.debian.org/security/2005/dsa-940

External Source: DEBIAN

Name: DSA-938

Hyperlink:http://www.debian.org/security/2005/dsa-938

External Source: DEBIAN

Name: DSA-937

Hyperlink:http://www.debian.org/security/2005/dsa-937

External Source: DEBIAN

Name: DSA-932

Hyperlink:http://www.debian.org/security/2005/dsa-932

External Source: DEBIAN

Name: DSA-931

Hyperlink:http://www.debian.org/security/2005/dsa-931

External Source: SECUNIA

Name: 18375

Type: Advisory

Hyperlink:http://secunia.com/advisories/18375

External Source: SECUNIA

Name: 18332

Type: Advisory

Hyperlink:http://secunia.com/advisories/18332

External Source: SECUNIA

Name: 18329

Type: Advisory

Hyperlink:http://secunia.com/advisories/18329

External Source: MISC

Name: http://scary.beasts.org/security/CESA-2005-003.txt

Hyperlink:http://scary.beasts.org/security/CESA-2005-003.txt

External Source: SGI

Name: 20060101-01-U

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20060101-01-U

External Source: SGI

Name: 20051201-01-U

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20051201-01-U

External Source: XF

Name: xpdf-ccittfaxdecode-dctdecode-dos(24023)

Hyperlink:http://xforce.iss.net/xforce/xfdb/24023

External Source: TRUSTIX

Name: 2006-0002

Hyperlink:http://www.trustix.org/errata/2006/0002/

External Source: FEDORA

Name: FLSA:175404

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/427990/100/0/threaded

External Source: FEDORA

Name: FLSA-2006:176751

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/427053/100/0/threaded

External Source: REDHAT

Name: RHSA-2006:0163

Hyperlink:http://www.redhat.com/support/errata/RHSA-2006-0163.html

External Source: FEDORA

Name: FEDORA-2005-026

Hyperlink:http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00031.html

External Source: FEDORA

Name: FEDORA-2005-025

Hyperlink:http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00030.html

External Source: MANDRIVA

Name: MDKSA-2006:012

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:012

External Source: MANDRIVA

Name: MDKSA-2006:011

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:011

External Source: MANDRAKE

Name: MDKSA-2006:010

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:010

External Source: MANDRIVA

Name: MDKSA-2006:008

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:008

External Source: MANDRIVA

Name: MDKSA-2006:006

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:006

External Source: MANDRIVA

Name: MDKSA-2006:005

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:005

External Source: MANDRIVA

Name: MDKSA-2006:004

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:004

External Source: MANDRIVA

Name: MDKSA-2006:003

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:003

External Source: GENTOO

Name: GLSA-200601-17

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200601-17.xml

External Source: VUPEN

Name: ADV-2007-2280

Hyperlink:http://www.frsirt.com/english/advisories/2007/2280

External Source: DEBIAN

Name: DSA-962

Hyperlink:http://www.debian.org/security/2006/dsa-962

External Source: SUNALERT

Name: 102972

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102972-1

External Source: SLACKWARE

Name: SSA:2006-045-04

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.474747

External Source: SLACKWARE

Name: SSA:2006-045-09

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.472683

External Source: SECUNIA

Name: 25729

Hyperlink:http://secunia.com/advisories/25729

External Source: SECUNIA

Name: 19377

Hyperlink:http://secunia.com/advisories/19377

External Source: SECUNIA

Name: 19230

Hyperlink:http://secunia.com/advisories/19230

External Source: SECUNIA

Name: 18913

Hyperlink:http://secunia.com/advisories/18913

External Source: SECUNIA

Name: 18908

Hyperlink:http://secunia.com/advisories/18908

External Source: SECUNIA

Name: 18679

Hyperlink:http://secunia.com/advisories/18679

External Source: SECUNIA

Name: 18675

Hyperlink:http://secunia.com/advisories/18675

External Source: SECUNIA

Name: 18674

Hyperlink:http://secunia.com/advisories/18674

External Source: SECUNIA

Name: 18644

Hyperlink:http://secunia.com/advisories/18644

External Source: SECUNIA

Name: 18642

Hyperlink:http://secunia.com/advisories/18642

External Source: SECUNIA

Name: 18463

Hyperlink:http://secunia.com/advisories/18463

External Source: SECUNIA

Name: 18436

Hyperlink:http://secunia.com/advisories/18436

External Source: SECUNIA

Name: 18428

Hyperlink:http://secunia.com/advisories/18428

External Source: SECUNIA

Name: 18425

Hyperlink:http://secunia.com/advisories/18425

External Source: SECUNIA

Name: 18414

Hyperlink:http://secunia.com/advisories/18414

External Source: SECUNIA

Name: 18380

Hyperlink:http://secunia.com/advisories/18380

External Source: SECUNIA

Name: 18373

Hyperlink:http://secunia.com/advisories/18373

External Source: SECUNIA

Name: 18147

Hyperlink:http://secunia.com/advisories/18147

External Source: MANDRIVA

Name: MDKSA-2006:011

Hyperlink:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:011

External Source: SGI

Name: 20060201-01-U

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20060201-01-U

External Source: SCO

Name: SCOSA-2006.15

Hyperlink:ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.15/SCOSA-2006.15.txt

Vulnerable software and versions

Configuration 1

* cpe:/a:easy_software_products:cups:1.1.22

* cpe:/a:easy_software_products:cups:1.1.22_rc1

* cpe:/a:easy_software_products:cups:1.1.23

* cpe:/a:easy_software_products:cups:1.1.23_rc1

* cpe:/a:kde:kdegraphics:3.2

* cpe:/a:kde:kdegraphics:3.4.3

* cpe:/a:kde:koffice:1.4

* cpe:/a:kde:koffice:1.4.1

* cpe:/a:kde:koffice:1.4.2

* cpe:/a:kde:kpdf:3.2

* cpe:/a:kde:kpdf:3.4.3

* cpe:/a:kde:kword:1.4.2

* cpe:/a:poppler:poppler:0.4.2

* cpe:/a:sgi:propack:3.0:sp6

* cpe:/a:tetex:tetex:1.0.7

* cpe:/a:tetex:tetex:2.0

* cpe:/a:tetex:tetex:2.0.1

* cpe:/a:tetex:tetex:2.0.2

* cpe:/a:tetex:tetex:3.0

* cpe:/a:xpdf:xpdf:3.0

* cpe:/o:conectiva:linux:10.0

Configuration 2

* cpe:/o:debian:debian_linux:3.0

* cpe:/o:debian:debian_linux:3.0::alpha

* cpe:/o:debian:debian_linux:3.0::arm

* cpe:/o:debian:debian_linux:3.0::hppa

* cpe:/o:debian:debian_linux:3.0::ia-32

* cpe:/o:debian:debian_linux:3.0::ia-64

* cpe:/o:debian:debian_linux:3.0::m68k

* cpe:/o:debian:debian_linux:3.0::mips

* cpe:/o:debian:debian_linux:3.0::mipsel

* cpe:/o:debian:debian_linux:3.0::ppc

* cpe:/o:debian:debian_linux:3.0::s-390

* cpe:/o:debian:debian_linux:3.0::sparc

* cpe:/o:debian:debian_linux:3.1

* cpe:/o:debian:debian_linux:3.1::alpha

* cpe:/o:debian:debian_linux:3.1::amd64

* cpe:/o:debian:debian_linux:3.1::arm

* cpe:/o:debian:debian_linux:3.1::hppa

* cpe:/o:debian:debian_linux:3.1::ia-32

* cpe:/o:debian:debian_linux:3.1::ia-64

* cpe:/o:debian:debian_linux:3.1::m68k

* cpe:/o:debian:debian_linux:3.1::mips

* cpe:/o:debian:debian_linux:3.1::mipsel

* cpe:/o:debian:debian_linux:3.1::ppc

* cpe:/o:debian:debian_linux:3.1::s-390

* cpe:/o:debian:debian_linux:3.1::sparc

* cpe:/o:gentoo:linux

* cpe:/o:mandrakesoft:mandrake_linux:10.1

* cpe:/o:mandrakesoft:mandrake_linux:10.1::x86-64

* cpe:/o:mandrakesoft:mandrake_linux:10.2

* cpe:/o:mandrakesoft:mandrake_linux:10.2::x86-64

* cpe:/o:mandrakesoft:mandrake_linux:2006

* cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64

* cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1

* cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1::x86_64

* cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0

* cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64

* cpe:/o:redhat:enterprise_linux:2.1::advanced_server

* cpe:/o:redhat:enterprise_linux:2.1::advanced_server_ia64

* cpe:/o:redhat:enterprise_linux:2.1::enterprise_server

* cpe:/o:redhat:enterprise_linux:2.1::enterprise_server_ia64

* cpe:/o:redhat:enterprise_linux:2.1::workstation

* cpe:/o:redhat:enterprise_linux:2.1::workstation_ia64

* cpe:/o:redhat:enterprise_linux:3.0::advanced_server

* cpe:/o:redhat:enterprise_linux:3.0::enterprise_server

* cpe:/o:redhat:enterprise_linux:3.0::workstation_server

* cpe:/o:redhat:enterprise_linux:4.0::advanced_server

* cpe:/o:redhat:enterprise_linux:4.0::enterprise_server

* cpe:/o:redhat:enterprise_linux:4.0::workstation

* cpe:/o:redhat:enterprise_linux_desktop:3.0

* cpe:/o:redhat:enterprise_linux_desktop:4.0

* cpe:/o:redhat:fedora_core:core_1.0

* cpe:/o:redhat:fedora_core:core_2.0

* cpe:/o:redhat:fedora_core:core_3.0

* cpe:/o:redhat:fedora_core:core_4.0

* cpe:/o:redhat:linux:7.3::i386

* cpe:/o:redhat:linux:9.0::i386

* cpe:/o:redhat:linux_advanced_workstation:2.1::ia64

* cpe:/o:redhat:linux_advanced_workstation:2.1::itanium

* cpe:/o:sco:openserver:5.0.7

* cpe:/o:sco:openserver:6.0

* cpe:/o:slackware:slackware_linux:10.0

* cpe:/o:slackware:slackware_linux:10.1

* cpe:/o:slackware:slackware_linux:10.2

* cpe:/o:slackware:slackware_linux:9.0

* cpe:/o:slackware:slackware_linux:9.1

* cpe:/o:suse:suse_linux:1.0

* cpe:/o:suse:suse_linux:10.0::oss

* cpe:/o:suse:suse_linux:10.0::professional

* cpe:/o:suse:suse_linux:9.0::enterprise_server

* cpe:/o:suse:suse_linux:9.0::personal

* cpe:/o:suse:suse_linux:9.0::professional

* cpe:/o:suse:suse_linux:9.0::s_390

* cpe:/o:suse:suse_linux:9.0::x86_64

* cpe:/o:suse:suse_linux:9.1::personal

* cpe:/o:suse:suse_linux:9.1::professional

* cpe:/o:suse:suse_linux:9.1::x86_64

* cpe:/o:suse:suse_linux:9.2::personal

* cpe:/o:suse:suse_linux:9.2::professional

* cpe:/o:suse:suse_linux:9.2::x86_64

* cpe:/o:suse:suse_linux:9.3::personal

* cpe:/o:suse:suse_linux:9.3::professional

* cpe:/o:suse:suse_linux:9.3::x86_64

* cpe:/o:trustix:secure_linux:2.0

* cpe:/o:trustix:secure_linux:2.2

* cpe:/o:trustix:secure_linux:3.0

* cpe:/o:turbolinux:turbolinux:10

* cpe:/o:turbolinux:turbolinux:fuji

* cpe:/o:turbolinux:turbolinux_appliance_server:1.0_hosting_edition

* cpe:/o:turbolinux:turbolinux_appliance_server:1.0_workgroup_edition

* cpe:/o:turbolinux:turbolinux_desktop:10.0

* cpe:/o:turbolinux:turbolinux_home

* cpe:/o:turbolinux:turbolinux_multimedia

* cpe:/o:turbolinux:turbolinux_personal

* cpe:/o:turbolinux:turbolinux_server:10.0

* cpe:/o:turbolinux:turbolinux_server:10.0_x86

* cpe:/o:turbolinux:turbolinux_server:8.0

* cpe:/o:turbolinux:turbolinux_workstation:8.0

* cpe:/o:ubuntu:ubuntu_linux:4.1::ia64

* cpe:/o:ubuntu:ubuntu_linux:4.1::ppc

* cpe:/o:ubuntu:ubuntu_linux:5.04::amd64

* cpe:/o:ubuntu:ubuntu_linux:5.04::i386

* cpe:/o:ubuntu:ubuntu_linux:5.04::powerpc

* cpe:/o:ubuntu:ubuntu_linux:5.10::amd64

* cpe:/o:ubuntu:ubuntu_linux:5.10::i386

* cpe:/o:ubuntu:ubuntu_linux:5.10::powerpc

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625