National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2007-3387 Detail

Current Description

Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.

Source:  MITRE
Description Last Modified:  07/30/2007
View Analysis Description

Impact

CVSS v2.0 Severity and Metrics:

Base Score: 6.8 MEDIUM
Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) (V2 legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6


Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional Information:
Victim must voluntarily interact with attack mechanism
Allows unauthorized disclosure of information
Allows unauthorized modification
Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl1.patch
ftp://patches.sgi.com/support/free/security/advisories/20070801-01-P.asc
http://bugs.gentoo.org/show_bug.cgi?id=187139
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248194
http://security.gentoo.org/glsa/glsa-200709-12.xml
http://security.gentoo.org/glsa/glsa-200709-17.xml
http://security.gentoo.org/glsa/glsa-200710-20.xml
http://security.gentoo.org/glsa/glsa-200711-34.xml
http://security.gentoo.org/glsa/glsa-200805-13.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.761882
http://sourceforge.net/project/shownotes.php?release_id=535497
http://support.avaya.com/elmodocs2/security/ASA-2007-401.htm
http://www.debian.org/security/2007/dsa-1347
http://www.debian.org/security/2007/dsa-1348
http://www.debian.org/security/2007/dsa-1349
http://www.debian.org/security/2007/dsa-1350
http://www.debian.org/security/2007/dsa-1352
http://www.debian.org/security/2007/dsa-1354
http://www.debian.org/security/2007/dsa-1355
http://www.debian.org/security/2007/dsa-1357
http://www.gentoo.org/security/en/glsa/glsa-200710-08.xml
http://www.kde.org/info/security/advisory-20070730-1.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2007:158
http://www.mandriva.com/security/advisories?name=MDKSA-2007:159
http://www.mandriva.com/security/advisories?name=MDKSA-2007:160
http://www.mandriva.com/security/advisories?name=MDKSA-2007:161
http://www.mandriva.com/security/advisories?name=MDKSA-2007:162
http://www.mandriva.com/security/advisories?name=MDKSA-2007:163
http://www.mandriva.com/security/advisories?name=MDKSA-2007:164
http://www.mandriva.com/security/advisories?name=MDKSA-2007:165
http://www.novell.com/linux/security/advisories/2007_15_sr.html
http://www.novell.com/linux/security/advisories/2007_16_sr.html
http://www.redhat.com/support/errata/RHSA-2007-0720.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2007-0729.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2007-0730.html Patch Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2007-0731.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2007-0732.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2007-0735.html Vendor Advisory
http://www.securityfocus.com/archive/1/476508/100/0/threaded
http://www.securityfocus.com/archive/1/476519/30/5400/threaded
http://www.securityfocus.com/archive/1/476765/30/5340/threaded
http://www.securityfocus.com/bid/25124
http://www.securitytracker.com/id?1018473
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.423670
http://www.ubuntu.com/usn/usn-496-1
http://www.ubuntu.com/usn/usn-496-2
http://www.vupen.com/english/advisories/2007/2704
http://www.vupen.com/english/advisories/2007/2705
https://issues.foresightlinux.org/browse/FL-471
https://issues.rpath.com/browse/RPL-1596
https://issues.rpath.com/browse/RPL-1604
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11149

References to Check Content

Identifier:
oval:org.mitre.oval:def:11149
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11149

Technical Details

Vulnerability Type (View All)

Known Affected Software Configurations Switch to CPE 2.2

Configuration 1 ( hide )
 cpe:2.3:a:easy_software_products:cups:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:a:gnome:gpdf:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
Up to (including)
2.8.1
 cpe:2.3:a:kde:kdegraphics:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:a:kde:kpdf:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:a:pdfedit:pdfedit:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:a:poppler:poppler:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
Up to (including)
0.5.91
 cpe:2.3:a:xpdf:xpdf:3.02:*:*:*:*:*:*:*
     Show Matching CPE(s)
Running on/with
 cpe:2.3:o:redhat:enterprise_linux:4.0:*:as:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:o:redhat:enterprise_linux:4.0:*:es:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:o:redhat:enterprise_linux:4.0:*:ws:*:*:*:*:*
     Show Matching CPE(s)
 cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
     Show Matching CPE(s)


Change History

3 change records found - show changes

Quick Info

CVE Dictionary Entry:
CVE-2007-3387
NVD Published Date:
07/30/2007
NVD Last Modified:
10/16/2018