CVE-2009-3604
Summary
| CVE | CVE-2009-3604 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-10-21 17:30:00 UTC |
| Updated | 2026-04-23 00:35:47 UTC |
| Description | The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:M/Au:N/C:C/I:C/A:C
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Foolabs | Xpdf | 3.02pl1 | All | All | All |
| Application | Foolabs | Xpdf | 3.02pl2 | All | All | All |
| Application | Foolabs | Xpdf | 3.02pl3 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 2.00 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 2.01 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 2.02 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 2.03 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 3.00 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 3.01 | All | All | All |
| Application | Glyphandcog | Xpdfreader | 3.02 | All | All | All |
| Application | Gnome | Gpdf | All | All | All | All |
| Application | Kde | Kpdf | All | All | All | All |
| Application | Poppler | Poppler | 0.1 | All | All | All |
| Application | Poppler | Poppler | 0.1.1 | All | All | All |
| Application | Poppler | Poppler | 0.1.2 | All | All | All |
| Application | Poppler | Poppler | 0.10.0 | All | All | All |
| Application | Poppler | Poppler | 0.10.1 | All | All | All |
| Application | Poppler | Poppler | 0.10.2 | All | All | All |
| Application | Poppler | Poppler | 0.10.3 | All | All | All |
| Application | Poppler | Poppler | 0.10.4 | All | All | All |
| Application | Poppler | Poppler | 0.10.5 | All | All | All |
| Application | Poppler | Poppler | 0.10.6 | All | All | All |
| Application | Poppler | Poppler | 0.10.7 | All | All | All |
| Application | Poppler | Poppler | 0.11.0 | All | All | All |
| Application | Poppler | Poppler | 0.11.1 | All | All | All |
| Application | Poppler | Poppler | 0.11.2 | All | All | All |
| Application | Poppler | Poppler | 0.11.3 | All | All | All |
| Application | Poppler | Poppler | 0.12.0 | All | All | All |
| Application | Poppler | Poppler | 0.2.0 | All | All | All |
| Application | Poppler | Poppler | 0.3.0 | All | All | All |
| Application | Poppler | Poppler | 0.3.1 | All | All | All |
| Application | Poppler | Poppler | 0.3.2 | All | All | All |
| Application | Poppler | Poppler | 0.3.3 | All | All | All |
| Application | Poppler | Poppler | 0.4.0 | All | All | All |
| Application | Poppler | Poppler | 0.4.1 | All | All | All |
| Application | Poppler | Poppler | 0.4.2 | All | All | All |
| Application | Poppler | Poppler | 0.4.3 | All | All | All |
| Application | Poppler | Poppler | 0.4.4 | All | All | All |
| Application | Poppler | Poppler | 0.5.0 | All | All | All |
| Application | Poppler | Poppler | 0.5.1 | All | All | All |
| Application | Poppler | Poppler | 0.5.2 | All | All | All |
| Application | Poppler | Poppler | 0.5.3 | All | All | All |
| Application | Poppler | Poppler | 0.5.4 | All | All | All |
| Application | Poppler | Poppler | 0.5.9 | All | All | All |
| Application | Poppler | Poppler | 0.5.90 | All | All | All |
| Application | Poppler | Poppler | 0.5.91 | All | All | All |
| Application | Poppler | Poppler | 0.6.0 | All | All | All |
| Application | Poppler | Poppler | 0.6.1 | All | All | All |
| Application | Poppler | Poppler | 0.6.2 | All | All | All |
| Application | Poppler | Poppler | 0.6.3 | All | All | All |
| Application | Poppler | Poppler | 0.6.4 | All | All | All |
| Application | Poppler | Poppler | 0.7.0 | All | All | All |
| Application | Poppler | Poppler | 0.7.1 | All | All | All |
| Application | Poppler | Poppler | 0.7.2 | All | All | All |
| Application | Poppler | Poppler | 0.7.3 | All | All | All |
| Application | Poppler | Poppler | 0.8.0 | All | All | All |
| Application | Poppler | Poppler | 0.8.1 | All | All | All |
| Application | Poppler | Poppler | 0.8.2 | All | All | All |
| Application | Poppler | Poppler | 0.8.3 | All | All | All |
| Application | Poppler | Poppler | 0.8.4 | All | All | All |
| Application | Poppler | Poppler | 0.8.5 | All | All | All |
| Application | Poppler | Poppler | 0.8.6 | All | All | All |
| Application | Poppler | Poppler | 0.8.7 | All | All | All |
| Application | Poppler | Poppler | 0.9.0 | All | All | All |
| Application | Poppler | Poppler | 0.9.1 | All | All | All |
| Application | Poppler | Poppler | 0.9.2 | All | All | All |
| Application | Poppler | Poppler | 0.9.3 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 11 Update: poppler-0.10.7-3.fc11 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Webmail | OVH- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| sunsolve.sun.com/search/document.do | af854a3a-2127-422b-91ae-364da2661108 | sunsolve.sun.com | |
| Red Hat update for xpdf - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| 526911 – (CVE-2009-3604) CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Patch |
| poppler/poppler - The poppler pdf rendering library (mirrored from https://gitlab.freedesktop.org/poppler/poppler) | af854a3a-2127-422b-91ae-364da2661108 | cgit.freedesktop.org | |
| Ubuntu update for poppler - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| KDE KPDF Multiple Vulnerabilities - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Red Hat update for gpdf - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| [SECURITY] Fedora 12 Update: pdfedit-0.4.3-4.fc12 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| USN-850-3: poppler vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| Debian update for kdegraphics - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| sunsolve.sun.com/search/document.do | af854a3a-2127-422b-91ae-364da2661108 | sunsolve.sun.com | |
| site.pi3.com.pl/adv/xpdf.txt | af854a3a-2127-422b-91ae-364da2661108 | site.pi3.com.pl | Exploit |
| Support / Security / Advisories / / MDVSA-2009:287 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2009:018 | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| [SECURITY] Fedora 10 Update: poppler-0.8.7-7.fc10 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| [SECURITY] Fedora 11 Update: pdfedit-0.4.3-4.fc11 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Support / Security / Advisories / / MDVSA-2011:175 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| Red Hat update for kdegraphics - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch | af854a3a-2127-422b-91ae-364da2661108 | ftp.foolabs.com | Patch |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Patch, Vendor Advisory |
| Support / Security / Advisories / / MDVSA-2010:087 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Xpdf Multiple Integer Overflow Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Exploit, Patch |
| Webmail | OVH- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| Poppler Multiple Vulnerabilities - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| USN-850-1: poppler vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| SecurityTracker.com Archives - Xpdf Integer Overflows Let Remote Users Execute Arbitrary Code | af854a3a-2127-422b-91ae-364da2661108 | securitytracker.com | |
| Debian -- Security Information -- DSA-2028-1 xpdf | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Red Hat update for xpdf - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| Webmail | OVH- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Patch, Vendor Advisory |
| Xpdf Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Debian update for xpdf - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| [SECURITY] Fedora 13 Update: pdfedit-0.4.3-4.fc13 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | |
| Red Hat update for kdegraphics - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| poppler/poppler - The poppler pdf rendering library (mirrored from https://gitlab.freedesktop.org/poppler/poppler) | af854a3a-2127-422b-91ae-364da2661108 | cgit.freedesktop.org | |
| Debian -- Security Information -- DSA-2050-1 kdegraphics | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Fedora update for poppler - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Red Hat Customer Portal | MITRE | access.redhat.com | |
| Red Hat Customer Portal | MITRE | access.redhat.com | |
| Red Hat Customer Portal | MITRE | access.redhat.com | |
| Red Hat Customer Portal | MITRE | access.redhat.com | |
| Red Hat Customer Portal | MITRE | access.redhat.com | |
| Red Hat Customer Portal | MITRE | access.redhat.com | |
| access.redhat.com | CVE-2009-3604 | MITRE | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.