Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488564 - <app-text/qpdf-5.0.1 : some important fix related to security/hardening
Summary: <app-text/qpdf-5.0.1 : some important fix related to security/hardening
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Tim Harder
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-19 10:44 UTC by Agostino Sarubbo
Modified: 2014-05-11 13:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-19 10:44:31 UTC
http://www.openwall.com/lists/oss-security/2013/10/18/6 :

I have released qpdf 5.0.1 today.  This release includes some security
fixes and hardening changes as suggested by Florian Weimer of Red Hat.
Red Hat's security team analyzed the software and decided that there
were no issues serious enough to warrant issuing any CVEs or creating
any embargoed issues, so all the fixes are published on
https://github.com/qpdf/qpdf

Here are the commits that are relevant:

ac9c1f0 Security: replace operator[] with at
4229457 Security: use a secure random number generator
0bfe902 Security: avoid pre-allocating vectors based on file data
10bceb5 Security: sanitize /W in xref stream
3eb4b06 Security: better bounds checks for linearization data
b097d7a Security: handle empty name in normalizeName
eb1b126 Security: fix potential multiplication overflow
c2e91d8 Security: keep cur_byte pointing into bytes array

5.0.0 and earlier used random() or rand() from the standard library for
random numbers, but the TODO file for qpdf had mentioned this from the
beginning.  qpdf 5.0.1 uses /dev/urandom on Linux MS Windows Crypto on
Windows, and tries to find a suitable random device for other
platforms.  It can fall back to insecure random only when configured
with --enable-insecure-random.

Since there are no CVEs issued for this, I have not provided backports
to other versions that some distributions may contain, but I was able to
backport the changes into the 2.x releases in a throw-away branch.  The
"replace operator[] with at" change was programmatically generated and
wouldn't make sense to backport.  Instead, it could be regenerated for
older versions.  If any distributions decide that they want to issue
security bulletins for any of these issues, I can assist with doing
backports.  To my knowledge, qpdf is a leaf node in every distribution
that carries any version older than 4.0.0, which is the first version
that was a dependency of open printing.  Most of the issues found in the
qpdf code were in parts of the code that are not used by open printing.
That said, the changes can be relatively easily backported to versions
as recent as that.
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-19 10:44:52 UTC
I'd suggest to bump and stabilize in few days
Comment 2 Sergey Popov gentoo-dev 2013-11-29 09:34:33 UTC
More than one month in tree, maintainer, could we stabilize 5.0.1?
Comment 3 Agostino Sarubbo gentoo-dev 2013-11-29 18:05:01 UTC
This is not a really security bug. These issue did not deserve a cve.
Comment 4 Sergey Popov gentoo-dev 2014-05-11 13:04:38 UTC
New version is in tree and we agreed that this is not security issue. Closing as fixed then.