Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629116 (CVE-2017-12595) - <app-text/qpdf-7.0.0: recursive tokenizer allows denial of service
Summary: <app-text/qpdf-7.0.0: recursive tokenizer allows denial of service
Status: RESOLVED FIXED
Alias: CVE-2017-12595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210
Blocks:
  Show dependency tree
 
Reported: 2017-08-27 21:59 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-03-25 19:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-27 21:59:46 UTC
CVE-2017-12595 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12595):

The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc. 

References:

https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b
https://github.com/qpdf/qpdf/issues/146
Comment 1 Aleksandr Wagner (Kivak) 2017-10-26 00:18:47 UTC
I just tested versions 5.1.1-r1 and 5.1.3-r1, they both return segmentation faults.

This bug has been fixed in the new 7.0.0 release:

2017-08-25  Jay Berkenbilt  <ejb@ql.org>

        * Re-implement parser iteratively to avoid stack overflow on very
        deeply nested arrays and dictionaries. Fixes #146.

@ Maintainer(s): Please advise how you would like to proceed.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 19:37:40 UTC
GLSA Vote: No

cleanup will be tracked in bug #647776