CVE-2007-0245
openoffice.org rtf filter buffer overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten.
Un desbordamiento de búfer en la región heap de la memoria en OpenOffice.org (OOo) versión 2.2.1 y anteriores permite a los atacantes remotos ejecutar código arbitrario por medio de un archivo RTF con una etiqueta prtdata creada con una incoherencia de parámetro length, lo que causa que las entradas de vtable se sobrescriban.
John Heasman of NGSSoftware has discovered a heap-based buffer overflow when parsing the prdata tag in RTF files where the first token is smaller than the second one (CVE-2007-0245). Additionally, the OpenOffice binary program is shipped with a version of FreeType that contains an integer signedness error in the n_points variable in file truetype/ttgload.c, which was covered by GLSA 200705-22 (CVE-2007-2754). Versions less than 2.2.1 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2007-01-16 CVE Reserved
- 2007-06-12 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (30)
| URL | Tag | Source |
|---|---|---|
| http://osvdb.org/35378 | Vdb Entry | |
| http://sw.openoffice.org/source/browse/sw/sw/source/filter/rtf/swparrtf.cxx?rev=1.67 | X_refsource_confirm | |
| http://www.securityfocus.com/archive/1/471274/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/24450 | Vdb Entry | |
| http://www.securitytracker.com/id?1018239 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/34843 | Vdb Entry | |
| https://issues.rpath.com/browse/RPL-1570 | X_refsource_confirm | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10002 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2007/dsa-1307 | 2018-10-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openoffice Search vendor "Openoffice" | Openoffice Search vendor "Openoffice" for product "Openoffice" | <= 2.2.1 Search vendor "Openoffice" for product "Openoffice" and version " <= 2.2.1" | - |
Affected
| ||||||