Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 756022

Summary: <app-text/qpdf-10.0.4: integer overflows
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://qpdf.sourceforge.net/files/qpdf-manual.html#ref.release-notes
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-21 21:26:07 UTC 
According to $URL, two releases since the release we have in-tree have had integer overflow fixes:

10.0.4: Fix a handful of integer overflows. This includes cases found by fuzzing as well as having qpdf not do range checking on unused values in the xref stream.

10.0.2: Fix various integer overflows and similar conditions found by the OSS-Fuzz project.


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2020-11-24 10:53:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d7ebe958e82785ecf2ed5428e2a03dac119e29

commit c5d7ebe958e82785ecf2ed5428e2a03dac119e29
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-24 10:51:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-24 10:53:06 +0000

    app-text/qpdf: security bump to 10.0.4
    
    Bug: https://bugs.gentoo.org/756022
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/qpdf/Manifest           |  1 +
 app-text/qpdf/qpdf-10.0.4.ebuild | 57 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-02 03:08:10 UTC 
x86 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 04:08:24 UTC 
arm64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 05:06:58 UTC 
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 07:29:41 UTC 
arm done
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-04 18:13:13 UTC 
sparc stable
Comment 7 ernsteiswuerfel archtester 2020-12-10 10:20:41 UTC 
Looking good on ppc.

 # cat qpdf-756022.report 
USE tests started on Do 10. Dez 10:49:27 CET 2020

FEATURES=' test' USE='' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4

revdep tests started on Do 10. Dez 11:18:36 CET 2020

FEATURES=' test' USE='' succeeded for net-print/cups-filters
Comment 8 ernsteiswuerfel archtester 2020-12-10 11:11:52 UTC 
Looking good on ppc64.

 # cat qpdf-756022.report 
USE tests started on Do 10. Dez 11:27:48 CET 2020

FEATURES=' test' USE='' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4

revdep tests started on Do 10. Dez 12:06:16 CET 2020

FEATURES=' test' USE='' succeeded for net-print/cups-filters
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-13 12:08:52 UTC 
~ppc/~ppc64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-13 23:27:04 UTC 
s390 stable
Comment 11 Rolf Eike Beer archtester 2021-01-05 14:41:33 UTC 
hppa stable
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-05 17:39:10 UTC 
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2021-01-10 15:53:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=502279c88919d9107be73fbae3c8b591f83d0d72

commit 502279c88919d9107be73fbae3c8b591f83d0d72
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-01-10 15:52:32 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-10 15:53:01 +0000

    app-text/qpdf: Security cleanup
    
    Bug: https://bugs.gentoo.org/756022
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/qpdf/Manifest              |  3 --
 app-text/qpdf/metadata.xml          |  3 --
 app-text/qpdf/qpdf-10.0.1-r2.ebuild | 60 -------------------------------------
 app-text/qpdf/qpdf-9.0.2-r1.ebuild  | 59 ------------------------------------
 app-text/qpdf/qpdf-9.1.1-r2.ebuild  | 55 ----------------------------------
 5 files changed, 180 deletions(-)
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 16:36:53 UTC 
Thanks!
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-31 20:58:33 UTC 
GLSA Vote: No

Nothing to report for us.