CVE-2009-3603

NameCVE-2009-3603
DescriptionInteger overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1941-1, DSA-2028-1, DSA-2050-1
Debian Bugs551287, 551289, 551290

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
poppler (PTS)jessie, jessie (lts)0.26.5-2+deb8u16fixed
stretch (security)0.48.0-2+deb9u4fixed
stretch (lts), stretch0.48.0-2+deb9u6fixed
buster (security), buster, buster (lts)0.71.0-5+deb10u3fixed
bullseye (security), bullseye20.09.0-3.1+deb11u1fixed
bookworm22.12.0-2fixed
sid, trixie24.08.0-3fixed
swftools (PTS)jessie0.9.2+git20130725-2fixed
stretch0.9.2+git20130725-4.1fixed
xpdf (PTS)jessie3.03-17fixed
stretch3.04-4fixed
buster3.04-13fixed
bullseye3.04+git20210103-3fixed
bookworm3.04+git20220601-1fixed
sid, trixie3.04+git20240613-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kdegraphicssourcelenny4:3.5.9-3+lenny3DSA-2050-1
kdegraphicssource(unstable)4:4.0medium551290
popplersourcelenny0.8.7-3DSA-1941-1
popplersource(unstable)0.12.2-1medium551289
swftoolssource(unstable)0.9.2+ds1-2
xpdfsourcelenny3.02-1.4+lenny2DSA-2028-1
xpdfsource(unstable)3.02-2medium551287

Search for package or bug name: Reporting problems