Fedora has issued an advisory on March 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WLK6ICPJUMOJNHZQWXAA5MPXG5JHZZL/ The issue is fixed in 11.9.0. Mageia 9 is also affected.
CVE: (none) => CVE-2024-24246Whiteboard: (none) => MGA9TOOStatus comment: (none) => Patch available from Fedora and fixed upstream in 11.9.0Source RPM: (none) => qpdf-11.8.0-1.mga10.src.rpm
Done for Cauldron! Patch from fedora do not apply for our 11.3.0 release :(
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Source RPM: qpdf-11.8.0-1.mga10.src.rpm => qpdf-11.3.0-1.mga9.src.rpmCC: (none) => geiger.david68210
Sooner done than said! Is there any reason why we cannot push v11.9.0 to Mageia 9? Even the M9 version is recent: Mar 14 2023 - 11.3.0 - update qpdf-relax patch from fedora and it has been version updated 3 times even before 11.9.0.
CC: (none) => lewyssmith
Yeah we've updated it without issue in the past.
Thanks for this confirmation. Keep in touch! More for DavidG...
CC: lewyssmith => (none)Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated packages fix a security vulnerability: Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to crash the application via the std::__shared_count() function at /bits/shared_ptr_base.h. (CVE-2024-24246) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WLK6ICPJUMOJNHZQWXAA5MPXG5JHZZL/ ======================== Updated packages in core/updates_testing: ======================== lib(64)qpdf29-11.9.0-1.mga9 lib(64)qpdf-devel-11.9.0-1.mga9 qpdf-11.9.0-1.mga9 qpdf-doc-11.9.0-1.mga9 from SRPM: qpdf-11.9.0-1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugsStatus comment: Patch available from Fedora and fixed upstream in 11.9.0 => (none)Status: NEW => ASSIGNED
The CVE description sounds wrong. It says the issue is in 11.9.0, but we're saying the fix was in that version. Maybe it's supposed to say before, rather than in?
Keywords: (none) => advisory
RH mageia 9 x86_64 Before the update qpdf --json-input POC_qpdf11-9-0_heap-buffer-overflow output_json.pdf WARNING: POC_qpdf11-9-0_heap-buffer-overflow (obj:3 0 R, offset 738): "stream.data" must be a string Violación de segmento (`core' generado) Update without issues installing qpdf-11.9.0-1.mga9.x86_64.rpm lib64qpdf29-11.9.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/2: lib64qpdf29 ###################################################################################### 2/2: qpdf ###################################################################################### 1/2: removing qpdf-11.3.0-1.mga9.x86_64 ###################################################################################### 2/2: removing lib64qpdf29-11.3.0-1.mga9.x86_64 ###################################################################################### After the update qpdf --json-input POC_qpdf11-9-0_heap-buffer-overflow output_json.pdf WARNING: POC_qpdf11-9-0_heap-buffer-overflow (obj:3 0 R, offset 738): "stream.data" must be a string qpdf: POC_qpdf11-9-0_heap-buffer-overflow: JSON: offset 1664: expected ',' or '}'
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0076.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED