Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 756022 - <app-text/qpdf-10.0.4: integer overflows
Summary: <app-text/qpdf-10.0.4: integer overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://qpdf.sourceforge.net/files/qpd...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-21 21:26 UTC by John Helmert III
Modified: 2021-05-31 20:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-11-21 21:26:07 UTC
According to $URL, two releases since the release we have in-tree have had integer overflow fixes:

10.0.4: Fix a handful of integer overflows. This includes cases found by fuzzing as well as having qpdf not do range checking on unused values in the xref stream.

10.0.2: Fix various integer overflows and similar conditions found by the OSS-Fuzz project.


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2020-11-24 10:53:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d7ebe958e82785ecf2ed5428e2a03dac119e29

commit c5d7ebe958e82785ecf2ed5428e2a03dac119e29
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-24 10:51:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-24 10:53:06 +0000

    app-text/qpdf: security bump to 10.0.4
    
    Bug: https://bugs.gentoo.org/756022
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/qpdf/Manifest           |  1 +
 app-text/qpdf/qpdf-10.0.4.ebuild | 57 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-12-02 03:08:10 UTC
x86 stable
Comment 3 Sam James archtester gentoo-dev Security 2020-12-03 04:08:24 UTC
arm64 done
Comment 4 Sam James archtester gentoo-dev Security 2020-12-03 05:06:58 UTC
amd64 done
Comment 5 Sam James archtester gentoo-dev Security 2020-12-03 07:29:41 UTC
arm done
Comment 6 Sergei Trofimovich gentoo-dev 2020-12-04 18:13:13 UTC
sparc stable
Comment 7 ernsteiswuerfel 2020-12-10 10:20:41 UTC
Looking good on ppc.

 # cat qpdf-756022.report 
USE tests started on Do 10. Dez 10:49:27 CET 2020

FEATURES=' test' USE='' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4

revdep tests started on Do 10. Dez 11:18:36 CET 2020

FEATURES=' test' USE='' succeeded for net-print/cups-filters
Comment 8 ernsteiswuerfel 2020-12-10 11:11:52 UTC
Looking good on ppc64.

 # cat qpdf-756022.report 
USE tests started on Do 10. Dez 11:27:48 CET 2020

FEATURES=' test' USE='' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl -ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc -examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='-doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4
USE='doc examples -libressl ssl' succeeded for =app-text/qpdf-10.0.4

revdep tests started on Do 10. Dez 12:06:16 CET 2020

FEATURES=' test' USE='' succeeded for net-print/cups-filters
Comment 9 Sergei Trofimovich gentoo-dev 2020-12-13 12:08:52 UTC
~ppc/~ppc64 stable
Comment 10 Sam James archtester gentoo-dev Security 2020-12-13 23:27:04 UTC
s390 stable
Comment 11 Rolf Eike Beer 2021-01-05 14:41:33 UTC
hppa stable
Comment 12 John Helmert III gentoo-dev Security 2021-01-05 17:39:10 UTC
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2021-01-10 15:53:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=502279c88919d9107be73fbae3c8b591f83d0d72

commit 502279c88919d9107be73fbae3c8b591f83d0d72
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-01-10 15:52:32 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-10 15:53:01 +0000

    app-text/qpdf: Security cleanup
    
    Bug: https://bugs.gentoo.org/756022
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/qpdf/Manifest              |  3 --
 app-text/qpdf/metadata.xml          |  3 --
 app-text/qpdf/qpdf-10.0.1-r2.ebuild | 60 -------------------------------------
 app-text/qpdf/qpdf-9.0.2-r1.ebuild  | 59 ------------------------------------
 app-text/qpdf/qpdf-9.1.1-r2.ebuild  | 55 ----------------------------------
 5 files changed, 180 deletions(-)
Comment 14 Sam James archtester gentoo-dev Security 2021-01-10 16:36:53 UTC
Thanks!
Comment 15 Thomas Deutschmann gentoo-dev Security 2021-05-31 20:58:33 UTC
GLSA Vote: No

Nothing to report for us.