Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629116 (CVE-2017-12595)

Summary: <app-text/qpdf-7.0.0: recursive tokenizer allows denial of service
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 626446    
Bug Blocks:    

Description Aleksandr Wagner (Kivak) 2017-08-27 21:59:46 UTC
CVE-2017-12595 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12595):

The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc. 

References:

https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b
https://github.com/qpdf/qpdf/issues/146
Comment 1 Aleksandr Wagner (Kivak) 2017-10-26 00:18:47 UTC
I just tested versions 5.1.1-r1 and 5.1.3-r1, they both return segmentation faults.

This bug has been fixed in the new 7.0.0 release:

2017-08-25  Jay Berkenbilt  <ejb@ql.org>

        * Re-implement parser iteratively to avoid stack overflow on very
        deeply nested arrays and dictionaries. Fixes #146.

@ Maintainer(s): Please advise how you would like to proceed.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-03-25 19:37:40 UTC
GLSA Vote: No

cleanup will be tracked in bug #647776