Your submission was sent successfully! Close

CVE-2009-3050

Published: 2 September 2009

Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.

Notes

AuthorNote
mdeslaur
PoC: http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt
other PoC: http://milw0rm.com/exploits/9190
stack smashing is detected by hardy+, so setting priority to low
Priority

Low

Status

Package Release Status
htmldoc
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
hardy Ignored
(reached end-of-life)
intrepid Needed
(reached end-of-life)
jaunty Ignored
(reached end-of-life)
karmic Ignored
(reached end-of-life)
lucid Not vulnerable
(1.8.27-4.1)
maverick Not vulnerable
(1.8.27-4.1)
natty Not vulnerable
(1.8.27-4.1)
oneiric Not vulnerable
(1.8.27-4.1)
upstream Needs triage

Patches:
vendor: https://bugs.gentoo.org/attachment.cgi?id=199846
vendor: http://cvs.fedoraproject.org/viewvc/devel/htmldoc/htmldoc-1.8.27-scanf-overflows.patch?revision=1.1&view=markup