National Vulnerability Database (NVD) National Vulnerability Database (CVE-2009-1180)

National Cyber-Alert System

Vulnerability Summary for CVE-2009-1180

Original release date:04/23/2009

Last revised:07/15/2009

Source: US-CERT/NIST

Overview

The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Vulnerability Note: VU#196617

Name: VU#196617

Hyperlink:http://www.kb.cert.org/vuls/id/196617

External Source: VUPEN

Name: ADV-2009-1076

Type: Advisory; Patch Information

Hyperlink:http://www.vupen.com/english/advisories/2009/1076

External Source: VUPEN

Name: ADV-2009-1066

Type: Advisory; Patch Information

Hyperlink:http://www.vupen.com/english/advisories/2009/1066

External Source: VUPEN

Name: ADV-2009-1065

Type: Advisory; Patch Information

Hyperlink:http://www.vupen.com/english/advisories/2009/1065

External Source: BID

Name: 34568

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/34568

External Source: REDHAT

Name: RHSA-2009:0480

Type: Patch Information

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-0480.html

External Source: REDHAT

Name: RHSA-2009:0431

Type: Patch Information

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-0431.html

External Source: REDHAT

Name: RHSA-2009:0430

Type: Patch Information

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-0430.html

External Source: REDHAT

Name: RHSA-2009:0429

Type: Patch Information

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-0429.html

External Source: DEBIAN

Name: DSA-1793

Type: Patch Information

Hyperlink:http://www.debian.org/security/2009/dsa-1793

External Source: DEBIAN

Name: DSA-1790

Type: Patch Information

Hyperlink:http://www.debian.org/security/2009/dsa-1790

External Source: REDHAT

Name: RHSA-2009:0458

Type: Patch Information

Hyperlink:http://rhn.redhat.com/errata/RHSA-2009-0458.html

External Source: CONFIRM

Name: http://poppler.freedesktop.org/releases.html

Type: Advisory; Patch Information

Hyperlink:http://poppler.freedesktop.org/releases.html

External Source: FEDORA

Name: FEDORA-2009-6982

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01291.html

External Source: FEDORA

Name: FEDORA-2009-6973

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01277.html

External Source: FEDORA

Name: FEDORA-2009-6972

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00567.html

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=495892

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=495892

External Source: VUPEN

Name: ADV-2009-1077

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/1077

External Source: SECTRACK

Name: 1022073

Hyperlink:http://www.securitytracker.com/id?1022073

External Source: MANDRIVA

Name: MDVSA-2009:101

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:101

External Source: SLACKWARE

Name: SSA:2009-129-01

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.578477

External Source: SECUNIA

Name: 35685

Type: Advisory

Hyperlink:http://secunia.com/advisories/35685

External Source: SECUNIA

Name: 35618

Type: Advisory

Hyperlink:http://secunia.com/advisories/35618

External Source: SECUNIA

Name: 35065

Type: Advisory

Hyperlink:http://secunia.com/advisories/35065

External Source: SECUNIA

Name: 35064

Type: Advisory

Hyperlink:http://secunia.com/advisories/35064

External Source: SECUNIA

Name: 35037

Type: Advisory

Hyperlink:http://secunia.com/advisories/35037

External Source: SECUNIA

Name: 34991

Type: Advisory

Hyperlink:http://secunia.com/advisories/34991

External Source: SECUNIA

Name: 34963

Type: Advisory

Hyperlink:http://secunia.com/advisories/34963

External Source: SECUNIA

Name: 34959

Type: Advisory

Hyperlink:http://secunia.com/advisories/34959

External Source: SECUNIA

Name: 34852

Type: Advisory

Hyperlink:http://secunia.com/advisories/34852

External Source: SECUNIA

Name: 34756

Type: Advisory

Hyperlink:http://secunia.com/advisories/34756

External Source: SECUNIA

Name: 34755

Type: Advisory

Hyperlink:http://secunia.com/advisories/34755

External Source: SECUNIA

Name: 34746

Type: Advisory

Hyperlink:http://secunia.com/advisories/34746

External Source: SECUNIA

Name: 34481

Type: Advisory

Hyperlink:http://secunia.com/advisories/34481

External Source: SECUNIA

Name: 34291

Type: Advisory

Hyperlink:http://secunia.com/advisories/34291

External Source: SUSE

Name: SUSE-SR:2009:012

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

External Source: SUSE

Name: SUSE-SR:2009:010

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

External Source: SUSE

Name: SUSE-SA:2009:024

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00011.html

Vulnerable software and versions

Configuration 1

* cpe:/a:foolabs:xpdf:3.02 and previous versions

* cpe:/a:foolabs:xpdf:3.00

* cpe:/a:foolabs:xpdf:3.01

* cpe:/a:foolabs:xpdf:2.03

* cpe:/a:foolabs:xpdf:2.02

* cpe:/a:foolabs:xpdf:2.01

* cpe:/a:foolabs:xpdf:2.00

* cpe:/a:foolabs:xpdf:1.01

* cpe:/a:foolabs:xpdf:1.00a

* cpe:/a:foolabs:xpdf:1.00

* cpe:/a:foolabs:xpdf:0.93c

* cpe:/a:foolabs:xpdf:0.93b

* cpe:/a:foolabs:xpdf:0.93a

* cpe:/a:foolabs:xpdf:0.93

* cpe:/a:foolabs:xpdf:0.92e

* cpe:/a:foolabs:xpdf:0.92d

* cpe:/a:foolabs:xpdf:0.92c

* cpe:/a:foolabs:xpdf:0.92b

* cpe:/a:foolabs:xpdf:0.92a

* cpe:/a:foolabs:xpdf:0.92

* cpe:/a:foolabs:xpdf:0.91c

* cpe:/a:foolabs:xpdf:0.91b

* cpe:/a:foolabs:xpdf:0.91a

* cpe:/a:foolabs:xpdf:0.91

* cpe:/a:foolabs:xpdf:0.90

* cpe:/a:foolabs:xpdf:0.80

* cpe:/a:foolabs:xpdf:0.7a

* cpe:/a:foolabs:xpdf:0.7

* cpe:/a:foolabs:xpdf:0.6

* cpe:/a:foolabs:xpdf:0.5a

* cpe:/a:foolabs:xpdf:0.5

* cpe:/a:foolabs:xpdf:0.4

* cpe:/a:foolabs:xpdf:0.3

* cpe:/a:foolabs:xpdf:0.2

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Resource Management Errors (CWE-399)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180