7.5 - CVE-2008-3639

Executive Summary

Informations
Name	CVE-2008-3639	First vendor Publication	2008-10-14
Vendor	Cve	Last vendor Modification	2018-10-03

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Heap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3639

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11464

Oval ID:	oval:org.mitre.oval:def:11464
Title:	Heap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count.
Description:	Heap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-3639	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section cups-devel is earlier than 1:1.1.17-13.3.54 AND cups is earlier than 1:1.1.17-13.3.54 AND cups-libs is earlier than 1:1.1.17-13.3.54 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section cups-devel is earlier than 1:1.1.22-0.rc1.9.27.el4_7.1 AND cups is earlier than 1:1.1.22-0.rc1.9.27.el4_7.1 AND cups-libs is earlier than 1:1.1.22-0.rc1.9.27.el4_7.1 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section cups-lpd is earlier than 1:1.2.4-11.18.el5_2.2 AND cups-devel is earlier than 1:1.2.4-11.18.el5_2.2 AND cups is earlier than 1:1.2.4-11.18.el5_2.2 AND cups-libs is earlier than 1:1.2.4-11.18.el5_2.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apple Cups cpe:2.3:a:apple:cups:1.3.8:::::::* cpe:2.3:a:apple:cups:1.3.7:::::::* cpe:2.3:a:apple:cups:1.3.6:::::::* cpe:2.3:a:apple:cups:1.3.5:::::::* cpe:2.3:a:apple:cups:1.3.4:::::::* cpe:2.3:a:apple:cups:1.3.3:::::::* cpe:2.3:a:apple:cups:1.3.2:::::::* cpe:2.3:a:apple:cups:1.3.1:::::::* cpe:2.3:a:apple:cups:1.3.0:::::::* cpe:2.3:a:apple:cups:1.3:rc2:::::: cpe:2.3:a:apple:cups:1.3:b1:::::: cpe:2.3:a:apple:cups:1.3:rc1:::::: cpe:2.3:a:apple:cups:1.2.9:::::::* cpe:2.3:a:apple:cups:1.2.8:::::::* cpe:2.3:a:apple:cups:1.2.7:::::::* cpe:2.3:a:apple:cups:1.2.6:::::::* cpe:2.3:a:apple:cups:1.2.5:::::::* cpe:2.3:a:apple:cups:1.2.4:::::::* cpe:2.3:a:apple:cups:1.2.3:::::::* cpe:2.3:a:apple:cups:1.2.2:::::::* cpe:2.3:a:apple:cups:1.2.12:::::::* cpe:2.3:a:apple:cups:1.2.11:::::::* cpe:2.3:a:apple:cups:1.2.10:::::::* cpe:2.3:a:apple:cups:1.2.1:::::::* cpe:2.3:a:apple:cups:1.2.0:::::::* cpe:2.3:a:apple:cups:1.2:b2:::::: cpe:2.3:a:apple:cups:1.2:rc3:::::: cpe:2.3:a:apple:cups:1.2:rc2:::::: cpe:2.3:a:apple:cups:1.2:rc1:::::: cpe:2.3:a:apple:cups:1.2:b1:::::: cpe:2.3:a:apple:cups:1.1.9-1:::::::* cpe:2.3:a:apple:cups:1.1.9:::::::* cpe:2.3:a:apple:cups:1.1.8:::::::* cpe:2.3:a:apple:cups:1.1.7:::::::* cpe:2.3:a:apple:cups:1.1.6-3:::::::* cpe:2.3:a:apple:cups:1.1.6-2:::::::* cpe:2.3:a:apple:cups:1.1.6-1:::::::* cpe:2.3:a:apple:cups:1.1.6:::::::* cpe:2.3:a:apple:cups:1.1.5-2:::::::* cpe:2.3:a:apple:cups:1.1.5-1:::::::* cpe:2.3:a:apple:cups:1.1.5:::::::* cpe:2.3:a:apple:cups:1.1.4:::::::* cpe:2.3:a:apple:cups:1.1.3:::::::* cpe:2.3:a:apple:cups:1.1.23:rc1:::::: cpe:2.3:a:apple:cups:1.1.23:::::::* cpe:2.3:a:apple:cups:1.1.22:::::::* cpe:2.3:a:apple:cups:1.1.22:rc1:::::: cpe:2.3:a:apple:cups:1.1.22:rc2:::::: cpe:2.3:a:apple:cups:1.1.21:::::::* cpe:2.3:a:apple:cups:1.1.21:-:::::: cpe:2.3:a:apple:cups:1.1.21:rc2:::::: cpe:2.3:a:apple:cups:1.1.21:rc1:::::: cpe:2.3:a:apple:cups:1.1.20:rc3:::::: cpe:2.3:a:apple:cups:1.1.20:rc2:::::: cpe:2.3:a:apple:cups:1.1.20:::::::* cpe:2.3:a:apple:cups:1.1.20:rc4:::::: cpe:2.3:a:apple:cups:1.1.20:rc1:::::: cpe:2.3:a:apple:cups:1.1.20:rc5:::::: cpe:2.3:a:apple:cups:1.1.20:rc6:::::: cpe:2.3:a:apple:cups:1.1.2:::::::* cpe:2.3:a:apple:cups:1.1.19:::::::* cpe:2.3:a:apple:cups:1.1.19:rc2:::::: cpe:2.3:a:apple:cups:1.1.19:rc5:::::: cpe:2.3:a:apple:cups:1.1.19:rc4:::::: cpe:2.3:a:apple:cups:1.1.19:rc1:::::: cpe:2.3:a:apple:cups:1.1.19:rc3:::::: cpe:2.3:a:apple:cups:1.1.18:::::::* cpe:2.3:a:apple:cups:1.1.17:::::::* cpe:2.3:a:apple:cups:1.1.16:::::::* cpe:2.3:a:apple:cups:1.1.15:::::::* cpe:2.3:a:apple:cups:1.1.14:::::::* cpe:2.3:a:apple:cups:1.1.13:::::::* cpe:2.3:a:apple:cups:1.1.12:::::::* cpe:2.3:a:apple:cups:1.1.11:::::::* cpe:2.3:a:apple:cups:1.1.10-1:::::::* cpe:2.3:a:apple:cups:1.1.10:::::::* cpe:2.3:a:apple:cups:1.1.1:::::::* cpe:2.3:a:apple:cups:1.1:::::::* cpe:2.3:a:apple:cups:::::::: cpe:2.3:a:apple:cups:-:::::::*	80

OpenVAS Exploits

Date	Description
2011-08-09	Name : CentOS Update for cups CESA-2009:0308 centos3 i386 File : nvt/gb_CESA-2009_0308_cups_centos3_i386.nasl
2009-10-13	Name : SLES10: Security update for CUPS File : nvt/sles10_cups3.nasl
2009-10-10	Name : SLES9: Security update for CUPS File : nvt/sles9p5036560.nasl
2009-04-28	Name : Fedora Core 9 FEDORA-2009-3753 (cups) File : nvt/fcore_2009_3753.nasl
2009-04-09	Name : Mandriva Update for cups MDVSA-2008:211 (cups) File : nvt/gb_mandriva_MDVSA_2008_211.nasl
2009-03-23	Name : Ubuntu Update for cupsys vulnerabilities USN-656-1 File : nvt/gb_ubuntu_USN_656_1.nasl
2009-03-06	Name : RedHat Update for cups RHSA-2008:0937-01 File : nvt/gb_RHSA-2008_0937-01_cups.nasl
2009-02-27	Name : CentOS Update for cups CESA-2008:0937 centos4 i386 File : nvt/gb_CESA-2008_0937_cups_centos4_i386.nasl
2009-02-27	Name : CentOS Update for cups CESA-2008:0937 centos4 x86_64 File : nvt/gb_CESA-2008_0937_cups_centos4_x86_64.nasl
2009-02-27	Name : CentOS Update for cups CESA-2008:0937 centos3 x86_64 File : nvt/gb_CESA-2008_0937_cups_centos3_x86_64.nasl
2009-02-27	Name : CentOS Update for cups CESA-2008:0937 centos3 i386 File : nvt/gb_CESA-2008_0937_cups_centos3_i386.nasl
2009-02-23	Name : RedHat Security Advisory RHSA-2009:0308 File : nvt/RHSA_2009_0308.nasl
2009-02-17	Name : Fedora Update for cups FEDORA-2008-8801 File : nvt/gb_fedora_2008_8801_cups_fc8.nasl
2009-02-17	Name : Fedora Update for cups FEDORA-2008-8844 File : nvt/gb_fedora_2008_8844_cups_fc9.nasl
2009-02-16	Name : Fedora Update for cups FEDORA-2008-10911 File : nvt/gb_fedora_2008_10911_cups_fc8.nasl
2009-02-16	Name : Fedora Update for cups FEDORA-2008-10917 File : nvt/gb_fedora_2008_10917_cups_fc9.nasl
2008-12-23	Name : Gentoo Security Advisory GLSA 200812-11 (cups) File : nvt/glsa_200812_11.nasl
2008-11-01	Name : FreeBSD Ports: cups-base File : nvt/freebsd_cups-base6.nasl
2008-11-01	Name : Debian Security Advisory DSA 1656-1 (cupsys) File : nvt/deb_1656_1.nasl
2008-10-14	Name : CUPS Multiple Vulnerabilities - Oct08 File : nvt/gb_cups_mult_vuln_oct08.nasl
0000-00-00	Name : Slackware Advisory SSA:2008-312-01 cups File : nvt/esoft_slk_ssa_2008_312_01.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
49131	CUPS imagetops read_rle16 Function Malformed SGI Image Handling Remote Overflow

Snort® IPS/IDS

Date	Description
2014-01-10	Apple CUPS SGI image decoding buffer overflow attempt RuleID : 17663 - Revision : 6 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0308.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0937.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20081010_cups_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12261.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_cups-081002.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-656-1.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-211.nasl - Type : ACT_GATHER_INFO
2009-02-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0308.nasl - Type : ACT_GATHER_INFO
2009-02-20	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0308.nasl - Type : ACT_GATHER_INFO
2008-12-11	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200812-11.nasl - Type : ACT_GATHER_INFO
2008-11-09	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2008-312-01.nasl - Type : ACT_GATHER_INFO
2008-10-21	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1656.nasl - Type : ACT_GATHER_INFO
2008-10-16	Name : The remote Fedora host is missing a security update. File : fedora_2008-8844.nasl - Type : ACT_GATHER_INFO
2008-10-16	Name : The remote Fedora host is missing a security update. File : fedora_2008-8801.nasl - Type : ACT_GATHER_INFO
2008-10-13	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_ce29ce1d971a11ddab7e001c2514716c.nasl - Type : ACT_GATHER_INFO
2008-10-10	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0937.nasl - Type : ACT_GATHER_INFO
2008-10-10	Name : The remote printer service is affected by multiple vulnerabilities. File : cups_1_3_9.nasl - Type : ACT_GATHER_INFO
2008-10-10	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0937.nasl - Type : ACT_GATHER_INFO
2008-10-07	Name : The remote openSUSE host is missing a security update. File : suse_cups-5652.nasl - Type : ACT_GATHER_INFO
2008-10-07	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_cups-5653.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url
BID	http://www.securityfocus.com/bid/31690
CONFIRM	http://support.avaya.com/elmodocs2/security/ASA-2008-470.htm http://www.cups.org/articles.php?L575 http://www.cups.org/str.php?L2918
DEBIAN	http://www.debian.org/security/2008/dsa-1656
FEDORA	https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00331... https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00380...
GENTOO	http://www.gentoo.org/security/en/glsa/glsa-200812-11.xml
IDEFENSE	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=753
MANDRIVA	http://www.mandriva.com/security/advisories?name=MDVSA-2008:211
OVAL	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT	http://www.redhat.com/support/errata/RHSA-2008-0937.html
SECTRACK	http://www.securitytracker.com/id?1021033
SECUNIA	http://secunia.com/advisories/32084 http://secunia.com/advisories/32226 http://secunia.com/advisories/32284 http://secunia.com/advisories/32292 http://secunia.com/advisories/32316 http://secunia.com/advisories/32331 http://secunia.com/advisories/33085 http://secunia.com/advisories/33111
SUNALERT	http://sunsolve.sun.com/search/document.do?assetkey=1-26-261088-1
SUSE	http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.html
UBUNTU	https://usn.ubuntu.com/656-1/
VUPEN	http://www.vupen.com/english/advisories/2008/2782 http://www.vupen.com/english/advisories/2008/3401 http://www.vupen.com/english/advisories/2009/1568
XF	https://exchange.xforce.ibmcloud.com/vulnerabilities/45789

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-02-16 12:08:53	Multiple Updates
2021-05-04 12:07:55	Multiple Updates
2021-04-22 01:08:16	Multiple Updates
2020-05-23 01:39:49	Multiple Updates
2020-05-23 00:22:07	Multiple Updates
2018-10-04 00:19:33	Multiple Updates
2017-09-29 09:23:40	Multiple Updates
2017-08-08 09:24:18	Multiple Updates
2016-04-26 17:44:17	Multiple Updates
2014-02-17 10:46:05	Multiple Updates
2014-01-19 21:25:10	Multiple Updates
2013-05-11 00:23:31	Multiple Updates
2012-11-07 00:17:34	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	80
Sources(s)	28
osvdb(s)	1
Openvas Exploit(s)	21
Snort® Rule(s)	1
Nessus® Exploit(s)	20

	Related
10	USN-656-1
10	SUN-261088
10	RHSA-2008:0937
10	MDVSA-2008:211
10	GLSA-200812-11
10	DSA-1656
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)

7.5 - CVE-2008-3639

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Snort® IPS/IDS

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU