Multiple heap-based buffer overflows in the PDF distiller in the Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.1.3 through 4.1.6, BlackBerry Professional Software 4.1.4, and BlackBerry Unite! before 1.0.3 bundle 28 allow user-assisted remote attackers to execute arbitrary code via (1) a crafted stream in a .pdf file, related to "symWidths"; or (2) a crafted data stream in a .pdf file, related to "bitmaps."
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 | vendor advisory |
| http://www.securityfocus.com/bid/33224 | vdb entry |
| http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 | vendor advisory |
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=765 | third party advisory |
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=764 | third party advisory |
| http://secunia.com/advisories/33534 | third party advisory vendor advisory |