Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629116 (CVE-2017-12595) - <app-text/qpdf-7.0.0: recursive tokenizer allows denial of service
Summary: <app-text/qpdf-7.0.0: recursive tokenizer allows denial of service
Alias: CVE-2017-12595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210
  Show dependency tree
Reported: 2017-08-27 21:59 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-03-25 19:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-27 21:59:46 UTC
CVE-2017-12595 (

The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/ 

Comment 1 Aleksandr Wagner (Kivak) 2017-10-26 00:18:47 UTC
I just tested versions 5.1.1-r1 and 5.1.3-r1, they both return segmentation faults.

This bug has been fixed in the new 7.0.0 release:

2017-08-25  Jay Berkenbilt  <>

        * Re-implement parser iteratively to avoid stack overflow on very
        deeply nested arrays and dictionaries. Fixes #146.

@ Maintainer(s): Please advise how you would like to proceed.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 19:37:40 UTC
GLSA Vote: No

cleanup will be tracked in bug #647776