626180 – app-text/qpdf:

Bug 626180 - app-text/qpdf:

Summary: app-text/qpdf:

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	B3 [upstream cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-07-26 00:59 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2017-10-14 01:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-26 00:59:09 UTC

From URL:

A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."

References:

http://somevulnsofadlab.blogspot.jp/2017/07/qpdfan-infinite-loop-in-libqpdf_65.html
https://github.com/qpdf/qpdf/issues/119

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-14 01:22:43 UTC

Freeing CVE alias