CVE-2007-3387

Name	CVE-2007-3387
Description	Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-1347-1, DSA-1348-1, DSA-1349-1, DSA-1350-1, DSA-1352-1, DSA-1354-1, DSA-1355-1, DSA-1357-1, DTSA-49-1, DTSA-50-1, DTSA-54-1, DTSA-62-1
NVD severity	medium
Debian Bugs	435460, 435462

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cups (PTS)	jessie	1.7.5-11+deb8u2	fixed
	jessie (security)	1.7.5-11+deb8u7	fixed
	stretch	2.2.1-8+deb9u5	fixed
	stretch (security)	2.2.1-8+deb9u2	fixed
	buster	2.2.10-6+deb10u2	fixed
	bullseye, sid	2.3.1-11	fixed
ipe (PTS)	jessie	7.1.4-2	fixed
	stretch	7.2.7-2	fixed
	buster	7.2.9-1	fixed
	bullseye, sid	7.2.13-2	fixed
libextractor (PTS)	jessie	1:1.3-2+deb8u1	fixed
	jessie (security)	1:1.3-2+deb8u5	fixed
	stretch (security), stretch	1:1.3-4+deb9u3	fixed
	buster	1:1.8-2	fixed
	bullseye, sid	1:1.9-3	fixed
poppler (PTS)	jessie	0.26.5-2+deb8u4	fixed
	jessie (security)	0.26.5-2+deb8u13	fixed
	stretch (security), stretch	0.48.0-2+deb9u2	fixed
	buster	0.71.0-5	fixed
	bullseye, sid	0.71.0-6	fixed
swftools (PTS)	jessie	0.9.2+git20130725-2	fixed
	stretch	0.9.2+git20130725-4.1	fixed
xpdf (PTS)	jessie	3.03-17	fixed
	stretch	3.04-4	fixed
	bullseye, sid, buster	3.04-13	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
cups	source	(unstable)	(not affected)
cupsys	source	(unstable)	(not affected)
gpdf	source	(unstable)	(unfixed)
gpdf	source	sarge	2.8.2-1.2sarge6	DSA-1354-1
ipe	source	(unstable)	(not affected)
kdegraphics	source	(unstable)	4:3.5.7-3
kdegraphics	source	etch	4:3.5.5-3etch1	DSA-1355-1
kdegraphics	source	lenny	4:3.5.7-2lenny1	DTSA-49-1
kdegraphics	source	sarge	4:3.3.2-2sarge5	DSA-1355-1
koffice	source	(unstable)	1:1.6.3-2
koffice	source	etch	1:1.6.1-2etch1	DSA-1357-1
koffice	source	lenny	1:1.6.3-1lenny1	DTSA-50-1
libextractor	source	(unstable)	0.5.12-1
libextractor	source	sarge	0.4.2-2sarge6	DSA-1349-1
pdfkit.framework	source	(unstable)	0.8-4
pdfkit.framework	source	sarge	0.8-2sarge4	DSA-1352-1
pdftohtml	source	(unstable)	(unfixed)
pdftohtml	source	etch	0.36-13etch1
poppler	source	(unstable)	0.5.4-6.1		435460
poppler	source	etch	0.4.5-5.1etch1	DSA-1348-1
poppler	source	lenny	0.5.4-6lenny2	DTSA-62-1
swftools	source	(unstable)	0.9.2+ds1-2
tetex-bin	source	(unstable)	3.0-12
tetex-bin	source	sarge	2.0.2-30sarge5	DSA-1350-1
xpdf	source	(unstable)	3.02-1.1		435462
xpdf	source	etch	3.01-9etch1	DSA-1347-1
xpdf	source	sarge	3.00-13.7	DSA-1347-1

Notes

pdftex links to poppler since 3.0-12, thus marking as fixed
- cupsys <not-affected> (unimportant; bug #436099)
- cups <not-affected> (unimportant; bug #436099)
cups uses xpdf-utils
links to poppler since 0.8-4, thus marking as fixed
libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed
- ipe <not-affected> (Does not include the vulnerable code)