CVE-2009-3050
Published: 2 September 2009
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
Notes
Author | Note |
---|---|
mdeslaur | PoC: http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt other PoC: http://milw0rm.com/exploits/9190 stack smashing is detected by hardy+, so setting priority to low |
Priority
Status
Package | Release | Status |
---|---|---|
htmldoc Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Not vulnerable
(1.8.27-4.1)
|
|
maverick |
Not vulnerable
(1.8.27-4.1)
|
|
natty |
Not vulnerable
(1.8.27-4.1)
|
|
upstream |
Needs triage
|
|
Patches: vendor: https://bugs.gentoo.org/attachment.cgi?id=199846 vendor: http://cvs.fedoraproject.org/viewvc/devel/htmldoc/htmldoc-1.8.27-scanf-overflows.patch?revision=1.1&view=markup |