libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.

According to the versions of the qpdf package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in QPDF before 7.0.0. There is     an infinite loop due to looping xref tables in     QPDF.cc.(CVE-2017-18186)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     unparse functions, aka     qpdf-infiniteloop3.(CVE-2017-9210)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     QPDFObjectHandle::parseInternal, aka     qpdf-infiniteloop2.(CVE-2017-9209)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     releaseResolved functions, aka     qpdf-infiniteloop1.(CVE-2017-9208)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qpdf package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     QPDFObjectHandle::parseInternal, aka     qpdf-infiniteloop2.(CVE-2017-9209)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     releaseResolved functions, aka     qpdf-infiniteloop1.(CVE-2017-9208)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     unparse functions, aka     qpdf-infiniteloop3.(CVE-2017-9210)

  - The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for     arrays and dictionaries, which allows remote attackers     to cause a denial of service (stack consumption and     segmentation fault) or possibly have unspecified other     impact via a PDF document with a deep data structure,     as demonstrated by a crash in     QPDFObjectHandle::parseInternal in     libqpdf/QPDFObjectHandle.cc.(CVE-2017-12595)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qpdf package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     releaseResolved functions, aka     qpdf-infiniteloop1.(CVE-2017-9208)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     QPDFObjectHandle::parseInternal, aka     qpdf-infiniteloop2.(CVE-2017-9209)

  - libqpdf.a in QPDF 6.0.0 allows remote attackers to     cause a denial of service (infinite recursion and stack     consumption) via a crafted PDF document, related to     unparse functions, aka     qpdf-infiniteloop3.(CVE-2017-9210)

  - The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for     arrays and dictionaries, which allows remote attackers     to cause a denial of service (stack consumption and     segmentation fault) or possibly have unspecified other     impact via a PDF document with a deep data structure,     as demonstrated by a crash in     QPDFObjectHandle::parseInternal in     libqpdf/QPDFObjectHandle.cc.(CVE-2017-12595)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qpdf fixes the following issues :

qpdf was updated to 7.1.1.

Security issues fixed :

CVE-2017-11627: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050577).

CVE-2017-11625: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050579).

CVE-2017-11626: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050578).

CVE-2017-11624: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050581).

CVE-2017-12595: Stack overflow when processing deeply nested arrays and dictionaries (bsc#1055960).

CVE-2017-9209: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040312).

CVE-2017-9210: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040313).

CVE-2017-9208: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040311).

  - Check release notes for detailed bug fixes.

  - http://qpdf.sourceforge.net/files/qpdf-manual.html#ref.release-notes

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that QPDF incorrectly handled certain malformed files. A remote attacker could use this issue to cause QPDF to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This version update for qpdf to 7.1.1 fixes the following issues :

  - Update to version 7.1.1

  - Fix one linearization bug affecting files whose first     /ID component is not 16 bytes long

  - Update to version 7.1.0

  - Allow raw encryption key to be specified in libary and     command line with the QPDF::setPasswordIsHexKey method     and

    --password-is-hex-key option. Allow encryption key to be     displayed with --show-encryption-key option. See     https://blog.didierstevens.com/2017/12/28/cracking-encry     pted-pdfs-part-3/ for a discussion of using this for     cracking encrypted PDFs. I hope that a future release of     qpdf will include some additional recovery options that     may also make use of this capability.

  - Fix lexical error: the PDF specification allows floating     point numbers to end with '.'

  - Fix link order in the build to avoid conflicts when     building from source while an older version of qpdf is     installed

  - Add support for TIFF predictor for LZW and Flate     streams. Now

  - Clarify documentation around options that control     parsing but not output creation. Two options:
    --suppress-recovery and

    --ignore-xref-streams, were documented in the 'Advanced     Transformation Options' section of the manual and --help     output even though they are not related to output. These     are now described in a separate section called 'Advanced     Parsing Options.'

  - Implement remaining PNG filters for decode. Prior     versions could decode only the 'up' filter. Now all PNG     filters (sub, up, average, Paeth, optimal) are supported     for decoding. The implementation of the remaining PNG     filters changed the interface to the private     Pl_PNGFilter class, but this class's header file is not     in the installation, and there is no public interface to     the class. Within the library, the class is never     allocated on the stack; it is only ever dynamically     allocated. As such, this does not actually break binary     compatibility of the library. all predictor functions     are supported

  - Update to version 7.0.0

  - License is now Apache-2.0

  - Add new libjpeg8-devel dependency

  - Improve the error message that is issued when QPDFWriter     encounters a stream that can't be decoded. In     particular, mention that the stream will be copied     without filtering to avoid data loss.

  - Add new methods to the C API to correspond to new     additions to QPDFWriter :

    &#9;- qpdf_set_compress_streams

    &#9;- qpdf_set_decode_level

    &#9;- qpdf_set_preserve_unreferenced_objects

    &#9;- qpdf_set_newline_before_endstream

  - Add support for writing PCLm files

  - QPDF now supports reading and writing streams encoded     with JPEG or RunLength encoding. Library API     enhancements and command-line options have been added to     control this behavior. See command-line options
    --compress-streams and --decode-level and methods     QPDFWriter::setCompressStreams and     QPDFWriter::setDecodeLevel.

  - Page rotation is now supported and accessible from both     the library and the command line.

  - Fixes CVE-2017-12595 boo#1055960, CVE-2017-9208     boo#1040311 CVE-2017-9209 boo#1040312, CVE-2017-9210     boo#1040313, CVE-2017-11627 boo#1050577, CVE-2017-11626     boo#1050578, CVE-2017-11625 boo#1050579, CVE-2017-11624     boo#1050581

  - Update to version 6.0.0

  - Bump shared library version since 5.2.0 broke ABI.

  - Update to version 5.2.0

  - Support for deterministic /IDs for non-encrypted files.
    This is off by default.

  - Handle more invalid xref tables

Security fix for CVE-2017-11627, CVE-2017-11626, CVE-2017-11625, CVE-2017-11624, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
153336	EulerOS 2.0 SP2 : qpdf (EulerOS-SA-2021-2442)	Nessus	Huawei Local Security Checks	medium
149196	EulerOS 2.0 SP3 : qpdf (EulerOS-SA-2021-1843)	Nessus	Huawei Local Security Checks	high
148054	EulerOS 2.0 SP5 : qpdf (EulerOS-SA-2021-1703)	Nessus	Huawei Local Security Checks	high
118301	SUSE SLES12 Security Update : qpdf (SUSE-SU-2018:3066-2)	Nessus	SuSE Local Security Checks	high
117993	SUSE SLED12 / SLES12 Security Update : qpdf (SUSE-SU-2018:3066-1)	Nessus	SuSE Local Security Checks	high
109600	Ubuntu 14.04 LTS / 16.04 LTS : QPDF vulnerabilities (USN-3638-1)	Nessus	Ubuntu Local Security Checks	high
106894	openSUSE Security Update : qpdf (openSUSE-2018-176)	Nessus	SuSE Local Security Checks	high
102215	Fedora 26 : qpdf (2017-e58a762c3f)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2017-9209

medium

Tenable Plugins

medium

high

high

high

high

high

high

medium