CVE-2008-1693

Description

The CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object.

References

Link	Tags
http://secunia.com/advisories/29869	third party advisory
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html	vendor advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:173	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11226	vdb entry signature
http://www.vupen.com/english/advisories/2008/1265/references	vdb entry
http://www.mandriva.com/security/advisories?name=MDVSA-2008:089	vendor advisory
http://secunia.com/advisories/29884	third party advisory
http://secunia.com/advisories/30019	third party advisory
http://secunia.com/advisories/29885	third party advisory
http://securitytracker.com/id?1019893	vdb entry
http://www.securityfocus.com/bid/28830	vdb entry
http://secunia.com/advisories/29853	third party advisory
http://secunia.com/advisories/29851	third party advisory
http://secunia.com/advisories/29816	third party advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:197	vendor advisory
http://www.redhat.com/support/errata/RHSA-2008-0239.html	vendor advisory
http://www.debian.org/security/2008/dsa-1548	patch vendor advisory
http://www.debian.org/security/2008/dsa-1606	vendor advisory
http://www.redhat.com/support/errata/RHSA-2008-0240.html	vendor advisory
http://security.gentoo.org/glsa/glsa-200804-18.xml	vendor advisory
http://secunia.com/advisories/29868	third party advisory
http://www.vupen.com/english/advisories/2008/1266/references	vdb entry
http://www.redhat.com/support/errata/RHSA-2008-0262.html	vendor advisory
http://secunia.com/advisories/31035	third party advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/41884	vdb entry
http://secunia.com/advisories/30033	third party advisory
http://secunia.com/advisories/29836	third party advisory
http://secunia.com/advisories/29834	third party advisory
http://www.redhat.com/support/errata/RHSA-2008-0238.html	vendor advisory
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00522.html	vendor advisory
http://www.ubuntu.com/usn/usn-603-2	vendor advisory
http://www.ubuntu.com/usn/usn-603-1	vendor advisory
http://www.novell.com/linux/security/advisories/2008_13_sr.html	vendor advisory
http://secunia.com/advisories/30717	third party advisory

Frequently Asked Questions

What is the severity of CVE-2008-1693?: CVE-2008-1693 has been scored as a medium severity vulnerability.
How to fix CVE-2008-1693?: To fix CVE-2008-1693, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2008-1693 being actively exploited in the wild?: It is possible that CVE-2008-1693 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~8% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions