qpdf: CVE-2018-9918

Debian Bug report logs - #895443
qpdf: CVE-2018-9918

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qpdf: CVE-2018-9918

Date: Wed, 11 Apr 2018 17:03:33 +0200

Source: qpdf
Version: 6.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/qpdf/qpdf/issues/202

Hi,

The following vulnerability was published for qpdf.

CVE-2018-9918[0]:
| libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary
| key but found non-name object" cases, allowing remote attackers to
| cause a denial of service (stack exhaustion), related to the
| QPDFObjectHandle and QPDF_Dictionary classes.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-9918
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9918
[1] https://github.com/qpdf/qpdf/issues/202

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 895443-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 895443-close@bugs.debian.org

Subject: Bug#895443: fixed in qpdf 8.0.2-3

Date: Sun, 15 Apr 2018 23:16:50 +0000

Source: qpdf
Source-Version: 8.0.2-3

We believe that the bug you reported is fixed in the latest version of
qpdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated qpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 15 Apr 2018 16:24:12 -0400
Source: qpdf
Binary: libqpdf21 libqpdf-dev qpdf
Architecture: source amd64
Version: 8.0.2-3
Distribution: unstable
Urgency: medium
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
 libqpdf-dev - development files for PDF transformation/inspection library
 libqpdf21  - runtime library for PDF transformation/inspection software
 qpdf       - tools for transforming and inspecting PDF files
Closes: 895443
Changes:
 qpdf (8.0.2-3) unstable; urgency=medium
 .
   * Add patch for CVE-2018-9918 from upstream commit
     b4d6cf6836ce025ba1811b7bbec52680c7204223. (Closes: #895443)
Checksums-Sha1:
 d5286d5cd1a4301ec943cb49d9c5797349b8cd8c 2029 qpdf_8.0.2-3.dsc
 84b8c4dcadc7c8abfbbc76c05e16daf9b3fb7e4a 13548 qpdf_8.0.2-3.debian.tar.xz
 6ac9108ae2fe3d53290e2ac7c0dcd7d9395dcb10 406516 libqpdf-dev_8.0.2-3_amd64.deb
 ff1a192a340d03fede5f60d6a7a262eec7cab7a3 3165596 libqpdf21-dbgsym_8.0.2-3_amd64.deb
 1a708bba1a1ef1ef1768da43dee1f2a095cb9381 320252 libqpdf21_8.0.2-3_amd64.deb
 d39913268169a86415c9dd792d6c341e9f86bf23 362412 qpdf-dbgsym_8.0.2-3_amd64.deb
 ae2db556c6c7e3cb0dffc2e9855881bcea5a4124 6455 qpdf_8.0.2-3_amd64.buildinfo
 604409edda61e75e1c9e33c73fc1b7074fd1190d 265768 qpdf_8.0.2-3_amd64.deb
Checksums-Sha256:
 54a81c4dcdc4bff191cd7d54bfb71d6ee916e7ccbc2dfda113154e9a4756e3f9 2029 qpdf_8.0.2-3.dsc
 fdda73c312306f06d189806f8f7508787bf9397cc5225c2c95b1db25097d4fb5 13548 qpdf_8.0.2-3.debian.tar.xz
 9d0edd3a6f91a6f67660bb3b7bc3addacf568724b9036bd4ee480492414bb031 406516 libqpdf-dev_8.0.2-3_amd64.deb
 9363619b58a2b8e9288d8b6dbf4835e2cd45819cb57945cbb6774ec99ca8d301 3165596 libqpdf21-dbgsym_8.0.2-3_amd64.deb
 e6f57beef40624f3acabb0615a6e6297ca9d696ab22c0cbfce5433f57fc41470 320252 libqpdf21_8.0.2-3_amd64.deb
 8165acf21222d066d6f0829ea00fc979806467ee37d22a3fc41f40d1123e724a 362412 qpdf-dbgsym_8.0.2-3_amd64.deb
 4ca0fd5cd9e56600af2a3f13458ed9d1fedbb012925afb3def638413c9f5ec42 6455 qpdf_8.0.2-3_amd64.buildinfo
 981a5b3e7faef4e975379b60e603f7e37232b418fedd85755f493c68f6d86f92 265768 qpdf_8.0.2-3_amd64.deb
Files:
 4c0742c174d8108a1f440ec48c1f9213 2029 libs optional qpdf_8.0.2-3.dsc
 43467d8429368a1b3b4fa9d103a79374 13548 libs optional qpdf_8.0.2-3.debian.tar.xz
 7144379aac0e692690db7f417b643d5f 406516 libdevel optional libqpdf-dev_8.0.2-3_amd64.deb
 e2c174729ffab22950b67180e82506f0 3165596 debug optional libqpdf21-dbgsym_8.0.2-3_amd64.deb
 351d6a2f66db2f3d3bdf55e130401b44 320252 libs optional libqpdf21_8.0.2-3_amd64.deb
 47ea52e1f3c98e86bdb2ab1e622facdd 362412 debug optional qpdf-dbgsym_8.0.2-3_amd64.deb
 3cd6ef09c484684770f2317583c79a58 6455 libs optional qpdf_8.0.2-3_amd64.buildinfo
 daacf9e5d283ec274889476b80cedce9 265768 text optional qpdf_8.0.2-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIsBAEBCAAWBQJa09KTDxxxamJAZGViaWFuLm9yZwAKCRCKddEJmAEsfijZD/oC
0n6PxKjurRsYncLiHXo6J7S/uoq0AUGREOOycyWUwl44kS2w1AVRZfrps/l0+8Ki
5Tpy4KC2OT456WWavH8OnYt7I0mlN2a6GDPovB86Jrk8VZWEdPJvsl1/FS+QcrCF
iMqLXpyk1p3ktW5B6nhy7Np5kL74fCVCpvLbFVcwe/l5jrsuPhRZtD7JlzWcDnar
a4WFjRTNDI7xzpaA7pJupbYsSiiDhngD3HJEegux+CyIYKfMh4WWJFqXFuY4bJbT
53s6zCsqYL4slOYKYZVUMtsDZ4YjhTuS5+mgED2xF4RV8YkNnJAU+44IYpSj3bIn
NyJ1BoNiBkyM4CvrfPdRCwGtIBhS9nGfuxDc7Pst486sQAya+Aqj4rUZynWke5RG
YOX3m7L3XGn5spJVkokciL0ckntUWptZQwlF35+6Mf0dA2sqf9jntElkZaym+G54
heac725P8EIw+MNxFDHwgVqX8DTfa+DhnT0CXtG/T28UgLZ3NrMwh0GsPzqwJo4r
TeKPra6gwmLOUDdF7Q0IGKHpIEbScSNxKOz1YNAiZgXbuFVjBsn3xegKkJsDtk8g
n5mA9sobX83DqVH+a2zj9lGULtV1/yR5DfUIW02yTnYzMXlkgYw6VnUkgo26bZaB
8jVooY5s15nb66oI7X/7IgH1Zz45hQ9Mu7U5NWeKxQ==
=bSD7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.