32958 – qpdf new security issue CVE-2024-24246

Bug 32958 - qpdf new security issue CVE-2024-24246

Summary: qpdf new security issue CVE-2024-24246

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-11 16:12 CET by Nicolas Salguero
Modified:	2024-03-20 04:36 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	qpdf-11.3.0-1.mga9.src.rpm
CVE:	CVE-2024-24246
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-11 16:12:39 CET

Fedora has issued an advisory on March 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WLK6ICPJUMOJNHZQWXAA5MPXG5JHZZL/

The issue is fixed in 11.9.0.

Mageia 9 is also affected.

Nicolas Salguero 2024-03-11 16:13:55 CET

CVE: (none) => CVE-2024-24246
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patch available from Fedora and fixed upstream in 11.9.0
Source RPM: (none) => qpdf-11.8.0-1.mga10.src.rpm

Comment 1 David GEIGER 2024-03-12 05:27:32 CET

Done for Cauldron!

Patch from fedora do not apply for our 11.3.0 release :(

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: qpdf-11.8.0-1.mga10.src.rpm => qpdf-11.3.0-1.mga9.src.rpm
CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2024-03-12 20:57:55 CET

Sooner done than said!

Is there any reason why we cannot push v11.9.0 to Mageia 9?
Even the M9 version is recent: Mar 14 2023
- 11.3.0
- update qpdf-relax patch from fedora
and it has been version updated 3 times even before 11.9.0.

CC: (none) => lewyssmith

Comment 3 David Walser 2024-03-12 22:04:45 CET

Yeah we've updated it without issue in the past.

Comment 4 Lewis Smith 2024-03-14 20:14:24 CET

Thanks for this confirmation. Keep in touch!

More for DavidG...

CC: lewyssmith => (none)
Assignee: bugsquad => geiger.david68210

Comment 5 Nicolas Salguero 2024-03-19 16:35:23 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to crash the application via the std::__shared_count() function at /bits/shared_ptr_base.h. (CVE-2024-24246)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WLK6ICPJUMOJNHZQWXAA5MPXG5JHZZL/
========================

Updated packages in core/updates_testing:
========================
lib(64)qpdf29-11.9.0-1.mga9
lib(64)qpdf-devel-11.9.0-1.mga9
qpdf-11.9.0-1.mga9
qpdf-doc-11.9.0-1.mga9

from SRPM:
qpdf-11.9.0-1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status comment: Patch available from Fedora and fixed upstream in 11.9.0 => (none)
Status: NEW => ASSIGNED

Comment 6 David Walser 2024-03-19 17:21:37 CET

The CVE description sounds wrong.  It says the issue is in 11.9.0, but we're saying the fix was in that version.  Maybe it's supposed to say before, rather than in?

katnatek 2024-03-19 20:13:43 CET

Keywords: (none) => advisory

Comment 7 katnatek 2024-03-19 21:29:41 CET

RH mageia 9 x86_64

Before the update

qpdf --json-input  POC_qpdf11-9-0_heap-buffer-overflow  output_json.pdf
WARNING: POC_qpdf11-9-0_heap-buffer-overflow (obj:3 0 R, offset 738): "stream.data" must be a string
Violación de segmento (`core' generado)


Update without issues

installing qpdf-11.9.0-1.mga9.x86_64.rpm lib64qpdf29-11.9.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/2: lib64qpdf29           ######################################################################################
      2/2: qpdf                  ######################################################################################
      1/2: removing qpdf-11.3.0-1.mga9.x86_64
                                 ######################################################################################
      2/2: removing lib64qpdf29-11.3.0-1.mga9.x86_64
                                 ######################################################################################

After the update

 qpdf --json-input  POC_qpdf11-9-0_heap-buffer-overflow  output_json.pdf
WARNING: POC_qpdf11-9-0_heap-buffer-overflow (obj:3 0 R, offset 738): "stream.data" must be a string
qpdf: POC_qpdf11-9-0_heap-buffer-overflow: JSON: offset 1664: expected ',' or '}'

katnatek 2024-03-19 21:30:04 CET

CC: (none) => andrewsfarm

katnatek 2024-03-19 21:30:19 CET

Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2024-03-19 23:12:32 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2024-03-20 04:36:41 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0076.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.