PT-2010-1014 · Poppler+3 · Poppler+3

Tomas Hoger

Published

2010-10-07

Updated

2019-03-06

CVE-2010-3704

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions xpdf versions prior to 3.02pl5 poppler versions prior to 0.15.1 kdegraphics version 3.3.1

Description The issue is related to a lack of input validation in the PDF parser, which allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted PostScript Type1 font. This can lead to memory corruption. The vulnerability can be exploited remotely, potentially allowing attackers to access confidential data, disrupt its integrity, and cause a denial of service.

Recommendations For xpdf versions prior to 3.02pl5, update to version 3.02pl5 or later. For poppler versions prior to 0.15.1, update to version 0.15.1 or later. For kdegraphics version 3.3.1, consider disabling the Gfx::getPos function or restricting access to the PDF parser until a patch is available.

Fix

DoS

RCE

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-476

Related Identifiers

BDU:2015-02166

BDU:2015-06215

BDU:2015-06219

BDU:2015-08628

BDU:2015-08629

CVE-2010-3704

DSA-2119-1

DSA-2135-1

RHSA-2010:0749

RHSA-2010:0751

RHSA-2010:0752

RHSA-2010:0753

RHSA-2010:0859

RHSA-2010_0749

RHSA-2010_0751

RHSA-2010_0752

RHSA-2010_0753

RHSA-2010_0859

RHSA-2012:1201

RHSA-2012_1201

USN-1005-1

Affected Products

Red Hat

Kdegraphics

Poppler

Xpdf

PT-2010-1014 · Poppler+3 · Poppler+3

CVE-2010-3704

Weakness Enumeration

Related Identifiers

Affected Products

References · 111