Vulnerability Name:

CVE-2007-4033 (CCN-35620)

Assigned:2007-07-26
Published:2007-07-26
Updated:2018-10-15
Summary:Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter.
Note: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=193437

Source: MITRE
Type: CNA
CVE-2007-4033

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-2343

Source: CCN
Type: RHSA-2007-1027
Important: tetex security update

Source: CCN
Type: RHSA-2007-1030
Important: xpdf security update

Source: CCN
Type: RHSA-2007-1031
Important: xpdf security update

Source: CCN
Type: SA26241
t1lib "intT1_EnvGetCompletePath()" Buffer Overflow

Source: SECUNIA
Type: Vendor Advisory
26241

Source: SECUNIA
Type: Vendor Advisory
26901

Source: SECUNIA
Type: Vendor Advisory
26981

Source: SECUNIA
Type: Vendor Advisory
26992

Source: SECUNIA
Type: Vendor Advisory
27239

Source: SECUNIA
Type: UNKNOWN
27297

Source: SECUNIA
Type: Vendor Advisory
27439

Source: SECUNIA
Type: Vendor Advisory
27599

Source: SECUNIA
Type: UNKNOWN
27718

Source: SECUNIA
Type: Vendor Advisory
27743

Source: SECUNIA
Type: UNKNOWN
28345

Source: SECUNIA
Type: UNKNOWN
30168

Source: GENTOO
Type: UNKNOWN
GLSA-200710-12

Source: GENTOO
Type: UNKNOWN
GLSA-200711-34

Source: GENTOO
Type: UNKNOWN
GLSA-200805-13

Source: CCN
Type: SECTRACK ID: 1018905
Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code

Source: CCN
Type: PHP Web site
PHP: Image Functions - Manual

Source: CONFIRM
Type: UNKNOWN
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0007

Source: MISC
Type: UNKNOWN
http://www.bugtraq.ir/adv/t1lib.txt

Source: DEBIAN
Type: UNKNOWN
DSA-1390

Source: DEBIAN
Type: DSA-1390
t1lib -- buffer overflow

Source: CCN
Type: GLSA-200710-12
T1Lib: Buffer overflow

Source: CCN
Type: GLSA-200711-34
CSTeX: Multiple vulnerabilities

Source: CCN
Type: GLSA-200805-13
PTeX: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:189

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:230

Source: SUSE
Type: UNKNOWN
SUSE-SR:2007:023

Source: REDHAT
Type: UNKNOWN
RHSA-2007:1027

Source: REDHAT
Type: UNKNOWN
RHSA-2007:1030

Source: REDHAT
Type: UNKNOWN
RHSA-2007:1031

Source: BUGTRAQ
Type: UNKNOWN
20070921 Re: [Full-disclosure] [USN-515-1] t1lib vulnerability

Source: BUGTRAQ
Type: UNKNOWN
20070921 Re: [USN-515-1] t1lib vulnerability

Source: BUGTRAQ
Type: UNKNOWN
20080105 rPSA-2008-0007-1 tetex tetex-afm tetex-dvips tetex-fonts tetex-latex tetex-xdvi

Source: BUGTRAQ
Type: UNKNOWN
20080212 FLEA-2008-0006-1 tetex tetex-dvips tetex-fonts

Source: BID
Type: Exploit
25079

Source: CCN
Type: BID-25079
T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability

Source: SECTRACK
Type: UNKNOWN
1018905

Source: CCN
Type: USN-515-1
t1lib vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-515-1

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=303021

Source: XF
Type: UNKNOWN
php-imagepsloadfont-bo(35620)

Source: XF
Type: UNKNOWN
php-imagepsloadfont-bo(35620)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-1972

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10557

Source: EXPLOIT-DB
Type: UNKNOWN
4227

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-3390

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-750

Source: SUSE
Type: SUSE-SR:2007:023
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:php:php:5.2.3:-:*:*:*:*:*:*
  • OR cpe:/a:t1lib:t1lib:5.1.1:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:php:php:5.2.3:-:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.5.z::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.5.z::es:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20074033
    V
    		CVE-2007-4033
    2015-11-16
    oval:org.mitre.oval:def:17436
    P
    		USN-515-1 -- t1lib vulnerability
    2014-07-07
    oval:org.mitre.oval:def:20498
    P
    		DSA-1390-1 t1lib - arbitrary code execution
    2014-06-23
    oval:org.mitre.oval:def:22588
    P
    		ELSA-2007:1027: tetex security update (Important)
    2014-05-26
    oval:org.mitre.oval:def:10557
    V
    		Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter. NOTE: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3.
    2013-04-29
    oval:com.redhat.rhsa:def:20071027
    P
    		RHSA-2007:1027: tetex security update (Important)
    2007-11-08
    oval:com.redhat.rhsa:def:20071030
    P
    		RHSA-2007:1030: xpdf security update (Important)
    2007-11-07
    oval:org.debian:def:1390
    V
    		buffer overflow
    2007-10-18
    BACK
    php php 5.2.3
    t1lib t1lib 5.1.1
    php php 5.2.3
    gentoo linux *
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    redhat linux advanced workstation 2.1
    canonical ubuntu 6.06
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2008.0
    debian debian linux 4.0
    canonical ubuntu 7.04
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2007.1
    redhat enterprise linux 4.5.z
    redhat enterprise linux 4.5.z