#VU32603 Input validation error in Poppler - CVE-2013-4474

Cybersecurity Help s.r.o.

Published: 2013-11-23 | Updated: 2020-07-29

Vulnerability identifier: #VU32603

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2013-4474

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Poppler
Client/Desktop applications / Office applications

Vendor: Freedesktop.org

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Format string vulnerability in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.3 allows remote attackers to cause a denial of service (crash) via format string specifiers in a destination filename.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Poppler: 0.24.0 - 0.24.2

External links
https://bugs.debian.org/723124
https://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
https://secunia.com/advisories/56567
https://security.gentoo.org/glsa/glsa-201401-21.xml
https://www.openwall.com/lists/oss-security/2013/10/29/1
https://www.securityfocus.com/bid/63374
https://www.ubuntu.com/usn/USN-2958-1
https://bugs.freedesktop.org/show_bug.cgi?id=69434

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Gentoo update for Poppler

Input validation error in poppler (Alpine package)

Input validation error in Freedesktop Poppler