Bug 32958

Summary: qpdf new security issue CVE-2024-24246
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: qpdf-11.3.0-1.mga9.src.rpm CVE: CVE-2024-24246
Status comment:

Description Nicolas Salguero 2024-03-11 16:12:39 CET 
Fedora has issued an advisory on March 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WLK6ICPJUMOJNHZQWXAA5MPXG5JHZZL/

The issue is fixed in 11.9.0.

Mageia 9 is also affected.
Nicolas Salguero 2024-03-11 16:13:55 CET

CVE: (none) => CVE-2024-24246
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patch available from Fedora and fixed upstream in 11.9.0
Source RPM: (none) => qpdf-11.8.0-1.mga10.src.rpm

Comment 1 David GEIGER 2024-03-12 05:27:32 CET 
Done for Cauldron!

Patch from fedora do not apply for our 11.3.0 release :(

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: qpdf-11.8.0-1.mga10.src.rpm => qpdf-11.3.0-1.mga9.src.rpm
CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2024-03-12 20:57:55 CET 
Sooner done than said!

Is there any reason why we cannot push v11.9.0 to Mageia 9?
Even the M9 version is recent: Mar 14 2023
- 11.3.0
- update qpdf-relax patch from fedora
and it has been version updated 3 times even before 11.9.0.

CC: (none) => lewyssmith

Comment 3 David Walser 2024-03-12 22:04:45 CET 
Yeah we've updated it without issue in the past.
Comment 4 Lewis Smith 2024-03-14 20:14:24 CET 
Thanks for this confirmation. Keep in touch!

More for DavidG...

CC: lewyssmith => (none)
Assignee: bugsquad => geiger.david68210

Comment 5 Nicolas Salguero 2024-03-19 16:35:23 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to crash the application via the std::__shared_count() function at /bits/shared_ptr_base.h. (CVE-2024-24246)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WLK6ICPJUMOJNHZQWXAA5MPXG5JHZZL/
========================

Updated packages in core/updates_testing:
========================
lib(64)qpdf29-11.9.0-1.mga9
lib(64)qpdf-devel-11.9.0-1.mga9
qpdf-11.9.0-1.mga9
qpdf-doc-11.9.0-1.mga9

from SRPM:
qpdf-11.9.0-1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status comment: Patch available from Fedora and fixed upstream in 11.9.0 => (none)
Status: NEW => ASSIGNED

Comment 6 David Walser 2024-03-19 17:21:37 CET 
The CVE description sounds wrong.  It says the issue is in 11.9.0, but we're saying the fix was in that version.  Maybe it's supposed to say before, rather than in?
katnatek 2024-03-19 20:13:43 CET

Keywords: (none) => advisory

Comment 7 katnatek 2024-03-19 21:29:41 CET 
RH mageia 9 x86_64

Before the update

qpdf --json-input  POC_qpdf11-9-0_heap-buffer-overflow  output_json.pdf
WARNING: POC_qpdf11-9-0_heap-buffer-overflow (obj:3 0 R, offset 738): "stream.data" must be a string
ViolaciĆ³n de segmento (`core' generado)


Update without issues

installing qpdf-11.9.0-1.mga9.x86_64.rpm lib64qpdf29-11.9.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/2: lib64qpdf29           ######################################################################################
      2/2: qpdf                  ######################################################################################
      1/2: removing qpdf-11.3.0-1.mga9.x86_64
                                 ######################################################################################
      2/2: removing lib64qpdf29-11.3.0-1.mga9.x86_64
                                 ######################################################################################

After the update

 qpdf --json-input  POC_qpdf11-9-0_heap-buffer-overflow  output_json.pdf
WARNING: POC_qpdf11-9-0_heap-buffer-overflow (obj:3 0 R, offset 738): "stream.data" must be a string
qpdf: POC_qpdf11-9-0_heap-buffer-overflow: JSON: offset 1664: expected ',' or '}'
katnatek 2024-03-19 21:30:04 CET

CC: (none) => andrewsfarm

katnatek 2024-03-19 21:30:19 CET

Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2024-03-19 23:12:32 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2024-03-20 04:36:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0076.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED