Bug 22586

Summary: qpdf new security issues fixed upstream in 7.0.0
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, rverschelde, smelror, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: qpdf-6.0.0-2.20170730.1.mga7.src.rpm CVE:
Status comment: Fixed upstream in 7.0.0
Bug Depends on:    
Bug Blocks: 22648    
Attachments: POC tests and quick tests of qpdf

Description David Walser 2018-02-14 02:54:09 CET 
Multiple security issues fixed upstream in qpdf have been announced:
http://openwall.com/lists/oss-security/2018/02/13/2

It looks like all but the first linked from the message above were fixed after the last snapshot that we updated to.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-14 02:54:35 CET

CC: (none) => rverschelde
Whiteboard: (none) => MGA6TOO
Assignee: bugsquad => pkg-bugs
Status comment: (none) => Fixed upstream in 7.0.0

Comment 1 Stig-Ørjan Smelror 2018-02-19 13:36:38 CET 
qpdf 7.1.1 pushed to Cauldron.

Cheers,
Stig

Version: Cauldron => 6
CC: (none) => smelror
Whiteboard: MGA6TOO => (none)

Comment 2 Stig-Ørjan Smelror 2018-02-20 12:07:02 CET 
Advisory
========

Qpdf has been updated to the latest version to fix several security issues.

- Stack overflow due to endless recursion in QPDFTokenizer::resolveLiteral()
- Another stack overflow / endless recursion in QPDFWriter::enqueueObject()
- Stack out of bounds read in iterate_rc4()
- heap out of bounds read (large) in Pl_Buffer::write
- Hang due to a pdf xref loop:


References
==========
http://openwall.com/lists/oss-security/2018/02/13/2

Files
=====

The following files have been uploaded to core/updates_testing

qpdf-7.1.1-1.mga6
qpdf-doc-7.1.1-1.mga6
lib64qpdf18-7.1.1-1.mga6
lib64qpdf-devel-7.1.1-1.mga6

from qpdf-7.1.1-1.mga6.src.rpm
Stig-Ørjan Smelror 2018-02-20 12:07:12 CET

Assignee: pkg-bugs => qa-bugs

Comment 3 Stig-Ørjan Smelror 2018-02-20 17:14:52 CET 
Advisory
========

Qpdf has been updated to the latest version to fix several security issues.

- Stack overflow due to endless recursion in QPDFTokenizer::resolveLiteral()
- Another stack overflow / endless recursion in QPDFWriter::enqueueObject()
- Stack out of bounds read in iterate_rc4()
- heap out of bounds read (large) in Pl_Buffer::write
- Hang due to a pdf xref loop

Also, the cups-filters package has been rebuilt for the new qpdf.


References
==========
http://openwall.com/lists/oss-security/2018/02/13/2

Files
=====

The following files have been uploaded to core/updates_testing

qpdf-7.1.1-1.mga6
qpdf-doc-7.1.1-1.mga6
lib64qpdf18-7.1.1-1.mga6
lib64qpdf-devel-7.1.1-1.mga6

from qpdf-7.1.1-1.mga6.src.rpm

cups-filters-1.13.4-2.2.mga6
lib64cups-filters-devel-1.13.4-2.2.mga6
lib64cups-filters1-1.13.4-2.2.mga6

from cups-filters-1.13.4-2.2.mga6.src.rpm
Comment 4 Len Lawrence 2018-02-20 18:57:43 CET 
Mageia 6 :: x86_64

This report was a bit lengthy so I have attached it.
The upshot is that qpdf looks good for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2018-02-20 18:58:11 CET

Whiteboard: (none) => MGA6-64-OK

Comment 5 Len Lawrence 2018-02-20 18:59:41 CET 
Created attachment 9997 [details]
POC tests and quick tests of qpdf
Len Lawrence 2018-02-22 01:35:06 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-22 19:54:36 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Thomas Backlund 2018-02-22 21:09:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0131.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
CC: (none) => tmb

Comment 7 Mageia Robot 2018-02-23 18:15:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0131.html
David Walser 2018-02-24 18:42:50 CET

Blocks: (none) => 22648