Bug 20915

Summary: qpdf new security issues CVE-2017-920[89], CVE-2017-9210 and CVE-2017-1162[4-7]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, marja11, pkg-bugs, sysadmin-bugs, tarazed25
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=21444
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA6-32-OK
Source RPM: qpdf-6.0.0-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-05-23 13:05:01 CEST 
CVEs have been assigned for security issues in qpdf:
http://openwall.com/lists/oss-security/2017/05/23/10

I don't believe that any fixes are available at this time.

Mageia 5 may also be affected.
David Walser 2017-05-23 13:05:08 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-05-28 06:06:30 CEST 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer lacks time.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => thierry.vignaud

Comment 2 Rémi Verschelde 2017-06-11 15:39:26 CEST 
Still unfixed upstream, though they acknowledged the issues 10 days ago so hopefully fixes will come.

Relevant bug reports:
- CVE-2017-9208: https://github.com/qpdf/qpdf/issues/99
- CVE-2017-9209: https://github.com/qpdf/qpdf/issues/100
- CVE-2017-9210: https://github.com/qpdf/qpdf/issues/101

Four other infinity loops reported recently which don't appear to have attributed CVEs so far:
- https://github.com/qpdf/qpdf/issues/117
- https://github.com/qpdf/qpdf/issues/118
- https://github.com/qpdf/qpdf/issues/119
- https://github.com/qpdf/qpdf/issues/120
Rémi Verschelde 2017-06-11 15:39:53 CEST

Status comment: (none) => Expecting upstream patches in the coming days/weeks (as of early June)

Rémi Verschelde 2017-06-30 11:28:57 CEST

Status comment: Expecting upstream patches in the coming days/weeks (as of early June) => As of late June, still waiting for upstream patches (issues ACK'ed)

David Walser 2017-07-07 04:24:38 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 3 Rémi Verschelde 2017-07-30 17:38:37 CEST 
All issues listed in comment 2 are now fixed upstream, I'll package a snapshot of the master branch to get those fixes.
Comment 4 Rémi Verschelde 2017-07-30 18:36:36 CEST 
Fixed in Cauldron. I'm pushing a snapshot of the upstream master branch from today for both Mageia 5 and Mageia 6. For Mageia 5, it's a version upgrade so cups-filter (the only reverse dep) is also being rebuilt.

Advisory:
=========

Updated qpdf packages fix security vulnerabilities

  This snapshot of the upstream development branch (6.0) of qpdf fixes
  several infinite loop vulnerabilities: CVE-2017-9208, CVE-2017-9209,
  CVE-2017-9210, CVE-2017-11624, CVE-2017-11625, CVE-2017-11626,
  CVE-2017-11627.

References:
- https://github.com/qpdf/qpdf/tree/8ee83ca722baad9434119bb72d620dfd8e6103c4


RPMs in core/updates_testing:
=============================

cups-filters-1.0.71-1.3.mga5
lib(64)cups-filters1-1.0.71-1.3.mga5
lib(64)cups-filters-devel-1.0.71-1.3.mga5
lib(64)qpdf17-6.0.0-2.20170730.1.mga5
lib(64)qpdf-devel-6.0.0-2.20170730.1.mga5
qpdf-6.0.0-2.20170730.1.mga5
qpdf-doc-6.0.0-2.20170730.1.mga5

lib(64)qpdf17-6.0.0-2.20170730.1.mga6
lib(64)qpdf-devel-6.0.0-2.20170730.1.mga6
qpdf-6.0.0-2.20170730.1.mga6
qpdf-doc-6.0.0-2.20170730.1.mga6


SRPMs in core/updates_testing:
==============================

cups-filters-1.0.71-1.3.mga5
qpdf-6.0.0-2.20170730.1.mga5

qpdf-6.0.0-2.20170730.1.mga6

Version: Cauldron => 6
Status comment: As of late June, still waiting for upstream patches (issues ACK'ed) => (none)
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Rémi Verschelde 2017-07-30 18:36:43 CEST

Assignee: thierry.vignaud => qa-bugs

Comment 5 Len Lawrence 2017-08-03 02:44:34 CEST 
mga5  x86_64

Documentation is in /usr/share/doc/qpdf-doc/

CVE-2017-9208  00176-qpdf-infiniteloop1
CVE-2017-9209  00177-pdf-infiniteloop2
CVE-2017-9210  00177-qpdf-infiniteloop3
CVE-2017-1162{4,7,6,5} => qpdf-infiniteloop_{1,2,3,4}

Reproducers can be downloaded from

https://github.com/asarubbo/poc/blob/master/ and
https://github.com/bestshow/p0cs/blob/master/

No sign of lib64qpdf17 in release or core updates.

$ qpdf 00176-qpdf-infiniteloop1 -
WARNING: 00176-qpdf-infiniteloop1: file is damaged
WARNING: 00176-qpdf-infiniteloop1 (file position 3526): xref not found
WARNING: 00176-qpdf-infiniteloop1: Attempting to reconstruct cross-reference table
Segmentation fault

All but one of the test files caused a segfault. 

$ qpdf qpdf-infiniteloop_3 -
WARNING: qpdf-infiniteloop_3: file is damaged
WARNING: qpdf-infiniteloop_3 (xref table, file position 625): invalid xref entry (obj=0)
WARNING: qpdf-infiniteloop_3: Attempting to reconstruct cross-reference table
operation for Dictionary object attempted on object of wrong type

After updating:

$ qpdf 00176-qpdf-infiniteloop1 -
WARNING: 00176-qpdf-infiniteloop1: file is damaged
WARNING: 00176-qpdf-infiniteloop1 (file position 3526): xref not found
WARNING: 00176-qpdf-infiniteloop1: Attempting to reconstruct cross-reference table
00176-qpdf-infiniteloop1 (file position 4793): unable to find /Root dictionary
$

In nearly all tests the error diagnostics looked similar to the pre-update information but there were no segfaults.

$ qpdf qpdf-infiniteloop_3 -
and
$ qpdf qpdf-infiniteloop_4 -
these produced text output of a sort and ended with the line:
qpdf: operation succeeded with warnings; resulting file may have some problems

This looks like a clean bill of health for the fixes.

There is a problem now with the documentation.  /usr/share/doc/qpdf-doc/ contains a stylesheet file and nothing else.  The earlier manuals in PDF and HTML format have been wiped.  But there is the --help option...

Simple functionality test:
$ qpdf $ qpdf one.pdf --pages one.pdf 5-10 -- two.pdf 
This successfully extracted six pages from one.pdf and wrote them out as file two.pdf, viewable with xpdf.

CC: (none) => tarazed25

Len Lawrence 2017-08-03 02:46:04 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 6 Len Lawrence 2017-08-03 02:52:27 CEST 
Cut and paste error there  - comment 5

s/$ qpdf $ qpdf one.pdf/$ qpdf one.pdf/
Comment 7 Herman Viaene 2017-08-03 14:01:35 CEST 
MGA6-32 on Asus A6000VM MATE
No installation issues.
At CLI:
$ qpdf --linearize familiekrantje-nr3.pdf fam3.pdf
$ qpdf familiekrantje-nr3.pdf --pages familiekrantje-nr3.pdf 1-4 -- fam3verkort.pdf
Both resulting pdf files display correctly with atril.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 Rémi Verschelde 2017-08-03 18:46:55 CEST 
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK => advisory MGA5TOO MGA5-64-OK MGA6-32-OK
Summary: qpdf new security issues CVE-2017-920[89] and CVE-2017-9210 => qpdf new security issues CVE-2017-920[89], CVE-2017-9210 and CVE-2017-1162[4-7]
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2017-08-03 21:06:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0237.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Rémi Verschelde 2017-08-04 15:09:43 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21444