CVE-2007-3387

Name	CVE-2007-3387
Description	Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1347-1, DSA-1348-1, DSA-1349-1, DSA-1350-1, DSA-1352-1, DSA-1354-1, DSA-1355-1, DSA-1357-1, DTSA-49-1, DTSA-50-1, DTSA-54-1, DTSA-62-1
Debian Bugs	435460, 435462

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cups (PTS)	jessie, jessie (lts)	1.7.5-11+deb8u12	fixed
	stretch (security)	2.2.1-8+deb9u8	fixed
	stretch (lts), stretch	2.2.1-8+deb9u11	fixed
	buster	2.2.10-6+deb10u6	fixed
	buster (security)	2.2.10-6+deb10u9	fixed
	bullseye	2.3.3op2-3+deb11u6	fixed
	bullseye (security)	2.3.3op2-3+deb11u2	fixed
	bookworm	2.4.2-3+deb12u5	fixed
	trixie	2.4.7-1	fixed
	sid	2.4.7-1.2	fixed
ipe (PTS)	jessie	7.1.4-2	fixed
	stretch	7.2.7-2	fixed
	buster	7.2.9-1	fixed
	bullseye	7.2.23+dfsg1-2	fixed
	bookworm	7.2.26+dfsg1-3	fixed
	trixie	7.2.28-2	fixed
	sid	7.2.28-2.1	fixed
libextractor (PTS)	jessie, jessie (lts)	1:1.3-2+deb8u5	fixed
	stretch (security), stretch (lts), stretch	1:1.3-4+deb9u4	fixed
	buster	1:1.8-2+deb10u1	fixed
	bullseye	1:1.11-2	fixed
	bookworm	1:1.11-7	fixed
	sid, trixie	1:1.13-3	fixed
poppler (PTS)	jessie, jessie (lts)	0.26.5-2+deb8u16	fixed
	stretch (security)	0.48.0-2+deb9u4	fixed
	stretch (lts), stretch	0.48.0-2+deb9u6	fixed
	buster	0.71.0-5	fixed
	buster (security)	0.71.0-5+deb10u3	fixed
	bullseye (security), bullseye	20.09.0-3.1+deb11u1	fixed
	trixie, bookworm	22.12.0-2	fixed
	sid	22.12.0-2.2	fixed
swftools (PTS)	jessie	0.9.2+git20130725-2	fixed
	stretch	0.9.2+git20130725-4.1	fixed
xpdf (PTS)	jessie	3.03-17	fixed
	stretch	3.04-4	fixed
	buster	3.04-13	fixed
	bullseye	3.04+git20210103-3	fixed
	bookworm	3.04+git20220601-1	fixed
	sid, trixie	3.04+git20240202-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
cups	source	(unstable)	(not affected)
cupsys	source	(unstable)	(not affected)
gpdf	source	sarge	2.8.2-1.2sarge6	DSA-1354-1
gpdf	source	(unstable)	(unfixed)
ipe	source	(unstable)	(not affected)
kdegraphics	source	sarge	4:3.3.2-2sarge5	DSA-1355-1
kdegraphics	source	etch	4:3.5.5-3etch1	DSA-1355-1
kdegraphics	source	lenny	4:3.5.7-2lenny1	DTSA-49-1
kdegraphics	source	(unstable)	4:3.5.7-3
koffice	source	etch	1:1.6.1-2etch1	DSA-1357-1
koffice	source	lenny	1:1.6.3-1lenny1	DTSA-50-1
koffice	source	(unstable)	1:1.6.3-2
libextractor	source	sarge	0.4.2-2sarge6	DSA-1349-1
libextractor	source	(unstable)	0.5.12-1
pdfkit.framework	source	sarge	0.8-2sarge4	DSA-1352-1
pdfkit.framework	source	(unstable)	0.8-4
pdftohtml	source	etch	0.36-13etch1
pdftohtml	source	(unstable)	(unfixed)
poppler	source	etch	0.4.5-5.1etch1	DSA-1348-1
poppler	source	lenny	0.5.4-6lenny2	DTSA-62-1
poppler	source	(unstable)	0.5.4-6.1		435460
swftools	source	(unstable)	0.9.2+ds1-2
tetex-bin	source	sarge	2.0.2-30sarge5	DSA-1350-1
tetex-bin	source	(unstable)	3.0-12
xpdf	source	sarge	3.00-13.7	DSA-1347-1
xpdf	source	etch	3.01-9etch1	DSA-1347-1
xpdf	source	(unstable)	3.02-1.1		435462

Notes

pdftex links to poppler since 3.0-12, thus marking as fixed
- cupsys <not-affected> (unimportant; bug #436099)
- cups <not-affected> (unimportant; bug #436099)
cups uses xpdf-utils
links to poppler since 0.8-4, thus marking as fixed
libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed
- ipe <not-affected> (Does not include the vulnerable code)