Fluid Attacks Database

Description

The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	xpdf	>=0 <3.02-2	3.02-2
debian 14	xpdf	>=0 <3.02-2	3.02-2
rpm rhel5	kdegraphics	<7:3.5.4-15.el5_4.2	7:3.5.4-15.el5_4.2
debian 13	xpdf	>=0 <3.02-2	3.02-2
debian 12	poppler	>=0 <0.12.2-1	0.12.2-1
rpm rhel5	poppler	<0:0.5.4-4.4.el5_3.9	0:0.5.4-4.4.el5_3.9
debian 11	poppler	>=0 <0.12.2-1	0.12.2-1
debian 12	xpdf	>=0 <3.02-2	3.02-2
debian 13	poppler	>=0 <0.12.2-1	0.12.2-1
debian 14	poppler	>=0 <0.12.2-1	0.12.2-1

Aliases

1. CVE-2009-36042. NVD-2009-36043. OSV-DEBIAN-2009-36044. OSV-2009-36045. SECURITY-TRACKER-CVE-2009-3604

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.