CVEs have been assigned for security issues in qpdf: http://openwall.com/lists/oss-security/2017/05/23/10 I don't believe that any fixes are available at this time. Mageia 5 may also be affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer lacks time.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => thierry.vignaud
Still unfixed upstream, though they acknowledged the issues 10 days ago so hopefully fixes will come. Relevant bug reports: - CVE-2017-9208: https://github.com/qpdf/qpdf/issues/99 - CVE-2017-9209: https://github.com/qpdf/qpdf/issues/100 - CVE-2017-9210: https://github.com/qpdf/qpdf/issues/101 Four other infinity loops reported recently which don't appear to have attributed CVEs so far: - https://github.com/qpdf/qpdf/issues/117 - https://github.com/qpdf/qpdf/issues/118 - https://github.com/qpdf/qpdf/issues/119 - https://github.com/qpdf/qpdf/issues/120
Status comment: (none) => Expecting upstream patches in the coming days/weeks (as of early June)
Status comment: Expecting upstream patches in the coming days/weeks (as of early June) => As of late June, still waiting for upstream patches (issues ACK'ed)
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
All issues listed in comment 2 are now fixed upstream, I'll package a snapshot of the master branch to get those fixes.
Fixed in Cauldron. I'm pushing a snapshot of the upstream master branch from today for both Mageia 5 and Mageia 6. For Mageia 5, it's a version upgrade so cups-filter (the only reverse dep) is also being rebuilt. Advisory: ========= Updated qpdf packages fix security vulnerabilities This snapshot of the upstream development branch (6.0) of qpdf fixes several infinite loop vulnerabilities: CVE-2017-9208, CVE-2017-9209, CVE-2017-9210, CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627. References: - https://github.com/qpdf/qpdf/tree/8ee83ca722baad9434119bb72d620dfd8e6103c4 RPMs in core/updates_testing: ============================= cups-filters-1.0.71-1.3.mga5 lib(64)cups-filters1-1.0.71-1.3.mga5 lib(64)cups-filters-devel-1.0.71-1.3.mga5 lib(64)qpdf17-6.0.0-2.20170730.1.mga5 lib(64)qpdf-devel-6.0.0-2.20170730.1.mga5 qpdf-6.0.0-2.20170730.1.mga5 qpdf-doc-6.0.0-2.20170730.1.mga5 lib(64)qpdf17-6.0.0-2.20170730.1.mga6 lib(64)qpdf-devel-6.0.0-2.20170730.1.mga6 qpdf-6.0.0-2.20170730.1.mga6 qpdf-doc-6.0.0-2.20170730.1.mga6 SRPMs in core/updates_testing: ============================== cups-filters-1.0.71-1.3.mga5 qpdf-6.0.0-2.20170730.1.mga5 qpdf-6.0.0-2.20170730.1.mga6
Version: Cauldron => 6Status comment: As of late June, still waiting for upstream patches (issues ACK'ed) => (none)Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: thierry.vignaud => qa-bugs
mga5 x86_64 Documentation is in /usr/share/doc/qpdf-doc/ CVE-2017-9208 00176-qpdf-infiniteloop1 CVE-2017-9209 00177-pdf-infiniteloop2 CVE-2017-9210 00177-qpdf-infiniteloop3 CVE-2017-1162{4,7,6,5} => qpdf-infiniteloop_{1,2,3,4} Reproducers can be downloaded from https://github.com/asarubbo/poc/blob/master/ and https://github.com/bestshow/p0cs/blob/master/ No sign of lib64qpdf17 in release or core updates. $ qpdf 00176-qpdf-infiniteloop1 - WARNING: 00176-qpdf-infiniteloop1: file is damaged WARNING: 00176-qpdf-infiniteloop1 (file position 3526): xref not found WARNING: 00176-qpdf-infiniteloop1: Attempting to reconstruct cross-reference table Segmentation fault All but one of the test files caused a segfault. $ qpdf qpdf-infiniteloop_3 - WARNING: qpdf-infiniteloop_3: file is damaged WARNING: qpdf-infiniteloop_3 (xref table, file position 625): invalid xref entry (obj=0) WARNING: qpdf-infiniteloop_3: Attempting to reconstruct cross-reference table operation for Dictionary object attempted on object of wrong type After updating: $ qpdf 00176-qpdf-infiniteloop1 - WARNING: 00176-qpdf-infiniteloop1: file is damaged WARNING: 00176-qpdf-infiniteloop1 (file position 3526): xref not found WARNING: 00176-qpdf-infiniteloop1: Attempting to reconstruct cross-reference table 00176-qpdf-infiniteloop1 (file position 4793): unable to find /Root dictionary $ In nearly all tests the error diagnostics looked similar to the pre-update information but there were no segfaults. $ qpdf qpdf-infiniteloop_3 - and $ qpdf qpdf-infiniteloop_4 - these produced text output of a sort and ended with the line: qpdf: operation succeeded with warnings; resulting file may have some problems This looks like a clean bill of health for the fixes. There is a problem now with the documentation. /usr/share/doc/qpdf-doc/ contains a stylesheet file and nothing else. The earlier manuals in PDF and HTML format have been wiped. But there is the --help option... Simple functionality test: $ qpdf $ qpdf one.pdf --pages one.pdf 5-10 -- two.pdf This successfully extracted six pages from one.pdf and wrote them out as file two.pdf, viewable with xpdf.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Cut and paste error there - comment 5 s/$ qpdf $ qpdf one.pdf/$ qpdf one.pdf/
MGA6-32 on Asus A6000VM MATE No installation issues. At CLI: $ qpdf --linearize familiekrantje-nr3.pdf fam3.pdf $ qpdf familiekrantje-nr3.pdf --pages familiekrantje-nr3.pdf 1-4 -- fam3verkort.pdf Both resulting pdf files display correctly with atril.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OKCC: (none) => herman.viaene
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK => advisory MGA5TOO MGA5-64-OK MGA6-32-OKSummary: qpdf new security issues CVE-2017-920[89] and CVE-2017-9210 => qpdf new security issues CVE-2017-920[89], CVE-2017-9210 and CVE-2017-1162[4-7]CC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0237.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21444