Multiple security issues fixed upstream in qpdf have been announced: http://openwall.com/lists/oss-security/2018/02/13/2 It looks like all but the first linked from the message above were fixed after the last snapshot that we updated to. Mageia 5 and Mageia 6 are also affected.
CC: (none) => rverscheldeWhiteboard: (none) => MGA6TOOAssignee: bugsquad => pkg-bugsStatus comment: (none) => Fixed upstream in 7.0.0
qpdf 7.1.1 pushed to Cauldron. Cheers, Stig
Version: Cauldron => 6CC: (none) => smelrorWhiteboard: MGA6TOO => (none)
Advisory ======== Qpdf has been updated to the latest version to fix several security issues. - Stack overflow due to endless recursion in QPDFTokenizer::resolveLiteral() - Another stack overflow / endless recursion in QPDFWriter::enqueueObject() - Stack out of bounds read in iterate_rc4() - heap out of bounds read (large) in Pl_Buffer::write - Hang due to a pdf xref loop: References ========== http://openwall.com/lists/oss-security/2018/02/13/2 Files ===== The following files have been uploaded to core/updates_testing qpdf-7.1.1-1.mga6 qpdf-doc-7.1.1-1.mga6 lib64qpdf18-7.1.1-1.mga6 lib64qpdf-devel-7.1.1-1.mga6 from qpdf-7.1.1-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Advisory ======== Qpdf has been updated to the latest version to fix several security issues. - Stack overflow due to endless recursion in QPDFTokenizer::resolveLiteral() - Another stack overflow / endless recursion in QPDFWriter::enqueueObject() - Stack out of bounds read in iterate_rc4() - heap out of bounds read (large) in Pl_Buffer::write - Hang due to a pdf xref loop Also, the cups-filters package has been rebuilt for the new qpdf. References ========== http://openwall.com/lists/oss-security/2018/02/13/2 Files ===== The following files have been uploaded to core/updates_testing qpdf-7.1.1-1.mga6 qpdf-doc-7.1.1-1.mga6 lib64qpdf18-7.1.1-1.mga6 lib64qpdf-devel-7.1.1-1.mga6 from qpdf-7.1.1-1.mga6.src.rpm cups-filters-1.13.4-2.2.mga6 lib64cups-filters-devel-1.13.4-2.2.mga6 lib64cups-filters1-1.13.4-2.2.mga6 from cups-filters-1.13.4-2.2.mga6.src.rpm
Mageia 6 :: x86_64 This report was a bit lengthy so I have attached it. The upshot is that qpdf looks good for 64 bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
Created attachment 9997 [details] POC tests and quick tests of qpdf
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0131.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVEDCC: (none) => tmb
Blocks: (none) => 22648
openSUSE has issued an advisory for this on February 19: https://lists.opensuse.org/opensuse-updates/2018-02/msg00056.html It provides CVEs for some of the issues. Please add the following to the references: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11624 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11626 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11627 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12595 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9208 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9210 https://lists.opensuse.org/opensuse-updates/2018-02/msg00056.html
Ubuntu has issued an advisory for this on May 7: https://usn.ubuntu.com/3638-1/ It provides CVEs for a few more issues. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18183 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18184 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18185 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18186