CVE-2007-5747
openoffice.org: Quattro Pro files parsing integer underflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Integer underflow in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Quattro Pro (QPRO) file with crafted values that trigger an excessive loop and a stack-based buffer overflow.
Subdesbordamiento de enteros en OpenOffice.org versiones anteriores a 2.4, permite a los atacantes remotos causar una denegación de servicio (bloqueo) y posiblemente ejecutar código arbitrario por medio de un archivo Quattro Pro (QPRO) con valores diseñados que desencadenan un bucle excesivo y un desbordamiento de búfer en la región stack de la memoria.
Remote exploitation of an integer underflow vulnerability in OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user. The vulnerability exists within the code responsible for converting the QPRO file into an internal representation used by OpenOffice. A 16-bit integer is read in from the file, and later used as a loop counter that controls how many values are stored into local stack buffers. When verifying the value of this counter, the code decrements the counter without checking to see if this operation will underflow. This results in the loop running for many iterations, which leads to a stack based buffer overflow. This allows for the execution of arbitrary code. iDefense has confirmed the existence of this vulnerability in OpenOffice version 2.3. Other versions may also be affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2007-10-31 CVE Reserved
- 2008-04-17 CVE Published
- 2024-08-07 CVE Updated
- 2025-06-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-189: Numeric Errors
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (28)
| URL | Tag | Source |
|---|---|---|
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=693 | Third Party Advisory | |
| http://www.openoffice.org/security/cves/CVE-2007-4770.html | X_refsource_confirm | |
| http://www.securityfocus.com/bid/28819 | Vdb Entry | |
| http://www.securitytracker.com/id?1019891 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41881 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11298 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2008/dsa-1547 | 2017-09-29 | |
| http://www.openoffice.org/security/bulletin.html | 2017-09-29 | |
| http://www.openoffice.org/security/cves/CVE-2007-5745.html | 2017-09-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sun Search vendor "Sun" | Openoffice.org Search vendor "Sun" for product "Openoffice.org" | <= 2.3.0 Search vendor "Sun" for product "Openoffice.org" and version " <= 2.3.0" | - |
Affected
| ||||||
| Sun Search vendor "Sun" | Openoffice.org Search vendor "Sun" for product "Openoffice.org" | 1.1.0 Search vendor "Sun" for product "Openoffice.org" and version "1.1.0" | - |
Affected
| ||||||
| Sun Search vendor "Sun" | Openoffice.org Search vendor "Sun" for product "Openoffice.org" | 2.0.0 Search vendor "Sun" for product "Openoffice.org" and version "2.0.0" | - |
Affected
| ||||||
| Sun Search vendor "Sun" | Openoffice.org Search vendor "Sun" for product "Openoffice.org" | 2.1.0 Search vendor "Sun" for product "Openoffice.org" and version "2.1.0" | - |
Affected
| ||||||
| Sun Search vendor "Sun" | Openoffice.org Search vendor "Sun" for product "Openoffice.org" | 2.2.0 Search vendor "Sun" for product "Openoffice.org" and version "2.2.0" | - |
Affected
| ||||||