Debian Bug report logs -
#895443
qpdf: CVE-2018-9918
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jay Berkenbilt <qjb@debian.org>
:
Bug#895443
; Package src:qpdf
.
(Wed, 11 Apr 2018 15:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jay Berkenbilt <qjb@debian.org>
.
(Wed, 11 Apr 2018 15:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qpdf
Version: 6.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/qpdf/qpdf/issues/202
Hi,
The following vulnerability was published for qpdf.
CVE-2018-9918[0]:
| libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary
| key but found non-name object" cases, allowing remote attackers to
| cause a denial of service (stack exhaustion), related to the
| QPDFObjectHandle and QPDF_Dictionary classes.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-9918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9918
[1] https://github.com/qpdf/qpdf/issues/202
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions qpdf/5.1.2-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 11 Apr 2018 15:09:10 GMT) (full text, mbox, link).
Marked as found in versions qpdf/2.3.1-4.
Request was from Antoine Beaupré <anarcat@debian.org>
to control@bugs.debian.org
.
(Wed, 11 Apr 2018 19:18:02 GMT) (full text, mbox, link).
Reply sent
to Jay Berkenbilt <qjb@debian.org>
:
You have taken responsibility.
(Sun, 15 Apr 2018 23:21:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 15 Apr 2018 23:21:04 GMT) (full text, mbox, link).
Message #14 received at 895443-close@bugs.debian.org (full text, mbox, reply):
Source: qpdf
Source-Version: 8.0.2-3
We believe that the bug you reported is fixed in the latest version of
qpdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated qpdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 Apr 2018 16:24:12 -0400
Source: qpdf
Binary: libqpdf21 libqpdf-dev qpdf
Architecture: source amd64
Version: 8.0.2-3
Distribution: unstable
Urgency: medium
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
libqpdf-dev - development files for PDF transformation/inspection library
libqpdf21 - runtime library for PDF transformation/inspection software
qpdf - tools for transforming and inspecting PDF files
Closes: 895443
Changes:
qpdf (8.0.2-3) unstable; urgency=medium
.
* Add patch for CVE-2018-9918 from upstream commit
b4d6cf6836ce025ba1811b7bbec52680c7204223. (Closes: #895443)
Checksums-Sha1:
d5286d5cd1a4301ec943cb49d9c5797349b8cd8c 2029 qpdf_8.0.2-3.dsc
84b8c4dcadc7c8abfbbc76c05e16daf9b3fb7e4a 13548 qpdf_8.0.2-3.debian.tar.xz
6ac9108ae2fe3d53290e2ac7c0dcd7d9395dcb10 406516 libqpdf-dev_8.0.2-3_amd64.deb
ff1a192a340d03fede5f60d6a7a262eec7cab7a3 3165596 libqpdf21-dbgsym_8.0.2-3_amd64.deb
1a708bba1a1ef1ef1768da43dee1f2a095cb9381 320252 libqpdf21_8.0.2-3_amd64.deb
d39913268169a86415c9dd792d6c341e9f86bf23 362412 qpdf-dbgsym_8.0.2-3_amd64.deb
ae2db556c6c7e3cb0dffc2e9855881bcea5a4124 6455 qpdf_8.0.2-3_amd64.buildinfo
604409edda61e75e1c9e33c73fc1b7074fd1190d 265768 qpdf_8.0.2-3_amd64.deb
Checksums-Sha256:
54a81c4dcdc4bff191cd7d54bfb71d6ee916e7ccbc2dfda113154e9a4756e3f9 2029 qpdf_8.0.2-3.dsc
fdda73c312306f06d189806f8f7508787bf9397cc5225c2c95b1db25097d4fb5 13548 qpdf_8.0.2-3.debian.tar.xz
9d0edd3a6f91a6f67660bb3b7bc3addacf568724b9036bd4ee480492414bb031 406516 libqpdf-dev_8.0.2-3_amd64.deb
9363619b58a2b8e9288d8b6dbf4835e2cd45819cb57945cbb6774ec99ca8d301 3165596 libqpdf21-dbgsym_8.0.2-3_amd64.deb
e6f57beef40624f3acabb0615a6e6297ca9d696ab22c0cbfce5433f57fc41470 320252 libqpdf21_8.0.2-3_amd64.deb
8165acf21222d066d6f0829ea00fc979806467ee37d22a3fc41f40d1123e724a 362412 qpdf-dbgsym_8.0.2-3_amd64.deb
4ca0fd5cd9e56600af2a3f13458ed9d1fedbb012925afb3def638413c9f5ec42 6455 qpdf_8.0.2-3_amd64.buildinfo
981a5b3e7faef4e975379b60e603f7e37232b418fedd85755f493c68f6d86f92 265768 qpdf_8.0.2-3_amd64.deb
Files:
4c0742c174d8108a1f440ec48c1f9213 2029 libs optional qpdf_8.0.2-3.dsc
43467d8429368a1b3b4fa9d103a79374 13548 libs optional qpdf_8.0.2-3.debian.tar.xz
7144379aac0e692690db7f417b643d5f 406516 libdevel optional libqpdf-dev_8.0.2-3_amd64.deb
e2c174729ffab22950b67180e82506f0 3165596 debug optional libqpdf21-dbgsym_8.0.2-3_amd64.deb
351d6a2f66db2f3d3bdf55e130401b44 320252 libs optional libqpdf21_8.0.2-3_amd64.deb
47ea52e1f3c98e86bdb2ab1e622facdd 362412 debug optional qpdf-dbgsym_8.0.2-3_amd64.deb
3cd6ef09c484684770f2317583c79a58 6455 libs optional qpdf_8.0.2-3_amd64.buildinfo
daacf9e5d283ec274889476b80cedce9 265768 text optional qpdf_8.0.2-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIsBAEBCAAWBQJa09KTDxxxamJAZGViaWFuLm9yZwAKCRCKddEJmAEsfijZD/oC
0n6PxKjurRsYncLiHXo6J7S/uoq0AUGREOOycyWUwl44kS2w1AVRZfrps/l0+8Ki
5Tpy4KC2OT456WWavH8OnYt7I0mlN2a6GDPovB86Jrk8VZWEdPJvsl1/FS+QcrCF
iMqLXpyk1p3ktW5B6nhy7Np5kL74fCVCpvLbFVcwe/l5jrsuPhRZtD7JlzWcDnar
a4WFjRTNDI7xzpaA7pJupbYsSiiDhngD3HJEegux+CyIYKfMh4WWJFqXFuY4bJbT
53s6zCsqYL4slOYKYZVUMtsDZ4YjhTuS5+mgED2xF4RV8YkNnJAU+44IYpSj3bIn
NyJ1BoNiBkyM4CvrfPdRCwGtIBhS9nGfuxDc7Pst486sQAya+Aqj4rUZynWke5RG
YOX3m7L3XGn5spJVkokciL0ckntUWptZQwlF35+6Mf0dA2sqf9jntElkZaym+G54
heac725P8EIw+MNxFDHwgVqX8DTfa+DhnT0CXtG/T28UgLZ3NrMwh0GsPzqwJo4r
TeKPra6gwmLOUDdF7Q0IGKHpIEbScSNxKOz1YNAiZgXbuFVjBsn3xegKkJsDtk8g
n5mA9sobX83DqVH+a2zj9lGULtV1/yR5DfUIW02yTnYzMXlkgYw6VnUkgo26bZaB
8jVooY5s15nb66oI7X/7IgH1Zz45hQ9Mu7U5NWeKxQ==
=bSD7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 19 May 2018 07:26:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:45:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.