Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626446 (CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210) - <app-text/qpdf-7.0.0: multiple infinite loop
Summary: <app-text/qpdf-7.0.0: multiple infinite loop
Status: RESOLVED FIXED
Alias: CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 646366
Blocks: CVE-2017-12595 641340
  Show dependency tree
 
Reported: 2017-07-28 15:01 UTC by Agostino Sarubbo
Modified: 2018-03-25 19:36 UTC (History)
2 users (show)

See Also:
Package list:
app-text/qpdf-7.0.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
QPDF Vulnerbility Tests (qpdf_bug_test,24.81 KB, text/plain)
2017-10-14 01:16 UTC, Aleksandr Wagner (Kivak)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-28 15:01:49 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1475517:

A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
which allows attackers to cause a denial of service via a crafted file,
related to the PointerHolder function in PointerHolder.hh, aka an
"infinite loop".
Upstream bug:
https://github.com/qpdf/qpdf/issues/118

Upstream patch:
https://github.com/jberkenbilt/qpdf/commit/2f56805a397b4d264bcfdfc248765990084c2933
https://github.com/jberkenbilt/qpdf/commit/97c9344c4b878ddc4723486640688d2d3d38ad32
https://github.com/qpdf/qpdf/commit/ac3c81a8edcb44e2669485630d6718c96a6ad6e9

References:
http://somevulnsofadlab.blogspot.com.br/2017/07/qpdfan-infinite-loop-in-libqpdf_21.html

From https://bugzilla.redhat.com/show_bug.cgi?id=1475514:

A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in 
QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop".

Upstream bug:
https://github.com/qpdf/qpdf/issues/119

Upstream patch:
https://github.com/jberkenbilt/qpdf/commit/2f56805a397b4d264bcfdfc248765990084c2933
https://github.com/jberkenbilt/qpdf/commit/97c9344c4b878ddc4723486640688d2d3d38ad32
https://github.com/qpdf/qpdf/commit/ac3c81a8edcb44e2669485630d6718c96a6ad6e9

References:
http://somevulnsofadlab.blogspot.com.br/2017/07/qpdfan-infinite-loop-in-libqpdf_65.html


From https://bugzilla.redhat.com/show_bug.cgi?id=1475510:

A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
which allows attackers to cause a denial of service via a crafted file,
related to the QPDF::resolveObjectsInStream function in QPDF.cc, aka an
"infinite loop".

Upstream bug:
https://github.com/qpdf/qpdf/issues/120

Upstream patch:
https://github.com/jberkenbilt/qpdf/commit/2f56805a397b4d264bcfdfc248765990084c2933
https://github.com/jberkenbilt/qpdf/commit/97c9344c4b878ddc4723486640688d2d3d38ad32
https://github.com/qpdf/qpdf/commit/ac3c81a8edcb44e2669485630d6718c96a6ad6e9

References:
http://somevulnsofadlab.blogspot.com.br/2017/07/qpdfan-infinite-loop-in-libqpdf_26.html


From https://bugzilla.redhat.com/show_bug.cgi?id=1475507:

A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in 
QPDFTokenizer.cc after two consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop".

Upstream bug:
https://github.com/qpdf/qpdf/issues/117

Upstream patch:
https://github.com/jberkenbilt/qpdf/commit/2f56805a397b4d264bcfdfc248765990084c2933
https://github.com/jberkenbilt/qpdf/commit/97c9344c4b878ddc4723486640688d2d3d38ad32
https://github.com/qpdf/qpdf/commit/ac3c81a8edcb44e2669485630d6718c96a6ad6e9

References:
http://somevulnsofadlab.blogspot.com.br/2017/07/qpdfan-infinite-loop-in-libqpdf.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aleksandr Wagner (Kivak) 2017-10-14 01:16:25 UTC
Created attachment 498598 [details]
QPDF Vulnerbility Tests

@Maintainer(s): 

The newest version 7.0.0 fixes these bugs. I tested these vulnerabilities with version 5.1.1-r1, and the version appears to be affected. You may view this in the attachment. Please advise on how you would like to proceed.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-20 15:15:57 UTC
Adding CVE-2017-9208,CVE-2017-9209,CVE-2017-9210 to the list of infinite loops
Comment 3 Aleksandr Wagner (Kivak) 2017-10-26 00:25:16 UTC
@ Maintainer(s): Please state if you are ready for stabilization.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-18 14:42:07 UTC
amd64 stable
Comment 5 ernsteiswuerfel 2018-01-20 21:39:52 UTC
Looking good on ppc.

# cat qpdf-626446.report 
USE tests started on Sa 20. Jan 19:57:43 CET 2018

USE='-doc -examples -perl -static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='doc -examples -perl -static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='-doc examples -perl -static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='doc examples -perl -static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='-doc examples perl -static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='doc examples perl -static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='-doc -examples -perl static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='doc -examples -perl static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='doc examples -perl static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='-doc -examples perl static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='-doc examples perl static-libs'  succeeded for =app-text/qpdf-7.0.0
USE='doc examples perl static-libs'  succeeded for =app-text/qpdf-7.0.0
 FEATURES= test succeeded for =app-text/qpdf-7.0.0

revdep tests started on Sa 20. Jan 22:35:02 CET 2018

FEATURES= test USE='pclm' succeeded for net-print/cups-filters
Comment 6 Sergei Trofimovich gentoo-dev 2018-01-20 22:12:16 UTC
ppc stable (thanks to ernsteiswuerfel)
Comment 7 Mark Knecht 2018-01-21 15:37:57 UTC
Adding my email to track. qpdf-7.0.0 and 7.1.0 cause cups-filters to not build on my stable machine. Falling back to the qpdf-5 version works. Will wait for this to be solved before posting another bug report.
Comment 8 Larry the Git Cow gentoo-dev 2018-01-21 20:30:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=caf493509f53379aa0066c30f5197d7a8017f414

commit caf493509f53379aa0066c30f5197d7a8017f414
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-21 19:33:08 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-21 20:27:46 +0000

    app-text/qpdf: x86 stable
    
    Bug: https://bugs.gentoo.org/626446
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 app-text/qpdf/qpdf-7.0.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 9 Sergei Trofimovich gentoo-dev 2018-01-22 21:29:18 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 10 Tobias Klausmann gentoo-dev 2018-01-28 17:00:24 UTC
Stable on alpha.
Comment 11 Sergei Trofimovich gentoo-dev 2018-02-05 23:22:28 UTC
ia64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2018-02-06 22:56:56 UTC
commit 3f096c35bf4beeb405bfa6673b5cb2734e40efc9
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Tue Feb 6 18:20:59 2018 +0100

    app-text/qpdf: stable 7.0.0 for hppa, bug #626446
Comment 13 Mart Raudsepp gentoo-dev 2018-03-03 12:40:15 UTC
there is no stable qpdf on arm64 right now and nothing stable revdeps on it yet/anymore, unCCing
Comment 14 Sergei Trofimovich gentoo-dev 2018-03-11 10:16:20 UTC
ppc64 stable
Comment 15 Markus Meier gentoo-dev 2018-03-13 18:00:46 UTC
arm stable, all arches done.
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-13 18:11:00 UTC
@Maintainers please remove vulnerable versions.

GLSA Vote: No.

Thank you
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 19:36:48 UTC
cleanup will be tracked in bug #647776