Your message dated Sun, 15 Apr 2018 23:16:50 +0000 with message-id <e1f7qt8-000a7n...@fasolo.debian.org> and subject line Bug#895443: fixed in qpdf 8.0.2-3 has caused the Debian Bug report #895443, regarding qpdf: CVE-2018-9918 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895443: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895443 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qpdf Version: 6.0.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/qpdf/qpdf/issues/202 Hi, The following vulnerability was published for qpdf. CVE-2018-9918[0]: | libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary | key but found non-name object" cases, allowing remote attackers to | cause a denial of service (stack exhaustion), related to the | QPDFObjectHandle and QPDF_Dictionary classes. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-9918 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9918 [1] https://github.com/qpdf/qpdf/issues/202 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qpdf Source-Version: 8.0.2-3 We believe that the bug you reported is fixed in the latest version of qpdf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jay Berkenbilt <q...@debian.org> (supplier of updated qpdf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 15 Apr 2018 16:24:12 -0400 Source: qpdf Binary: libqpdf21 libqpdf-dev qpdf Architecture: source amd64 Version: 8.0.2-3 Distribution: unstable Urgency: medium Maintainer: Jay Berkenbilt <q...@debian.org> Changed-By: Jay Berkenbilt <q...@debian.org> Description: libqpdf-dev - development files for PDF transformation/inspection library libqpdf21 - runtime library for PDF transformation/inspection software qpdf - tools for transforming and inspecting PDF files Closes: 895443 Changes: qpdf (8.0.2-3) unstable; urgency=medium . * Add patch for CVE-2018-9918 from upstream commit b4d6cf6836ce025ba1811b7bbec52680c7204223. (Closes: #895443) Checksums-Sha1: d5286d5cd1a4301ec943cb49d9c5797349b8cd8c 2029 qpdf_8.0.2-3.dsc 84b8c4dcadc7c8abfbbc76c05e16daf9b3fb7e4a 13548 qpdf_8.0.2-3.debian.tar.xz 6ac9108ae2fe3d53290e2ac7c0dcd7d9395dcb10 406516 libqpdf-dev_8.0.2-3_amd64.deb ff1a192a340d03fede5f60d6a7a262eec7cab7a3 3165596 libqpdf21-dbgsym_8.0.2-3_amd64.deb 1a708bba1a1ef1ef1768da43dee1f2a095cb9381 320252 libqpdf21_8.0.2-3_amd64.deb d39913268169a86415c9dd792d6c341e9f86bf23 362412 qpdf-dbgsym_8.0.2-3_amd64.deb ae2db556c6c7e3cb0dffc2e9855881bcea5a4124 6455 qpdf_8.0.2-3_amd64.buildinfo 604409edda61e75e1c9e33c73fc1b7074fd1190d 265768 qpdf_8.0.2-3_amd64.deb Checksums-Sha256: 54a81c4dcdc4bff191cd7d54bfb71d6ee916e7ccbc2dfda113154e9a4756e3f9 2029 qpdf_8.0.2-3.dsc fdda73c312306f06d189806f8f7508787bf9397cc5225c2c95b1db25097d4fb5 13548 qpdf_8.0.2-3.debian.tar.xz 9d0edd3a6f91a6f67660bb3b7bc3addacf568724b9036bd4ee480492414bb031 406516 libqpdf-dev_8.0.2-3_amd64.deb 9363619b58a2b8e9288d8b6dbf4835e2cd45819cb57945cbb6774ec99ca8d301 3165596 libqpdf21-dbgsym_8.0.2-3_amd64.deb e6f57beef40624f3acabb0615a6e6297ca9d696ab22c0cbfce5433f57fc41470 320252 libqpdf21_8.0.2-3_amd64.deb 8165acf21222d066d6f0829ea00fc979806467ee37d22a3fc41f40d1123e724a 362412 qpdf-dbgsym_8.0.2-3_amd64.deb 4ca0fd5cd9e56600af2a3f13458ed9d1fedbb012925afb3def638413c9f5ec42 6455 qpdf_8.0.2-3_amd64.buildinfo 981a5b3e7faef4e975379b60e603f7e37232b418fedd85755f493c68f6d86f92 265768 qpdf_8.0.2-3_amd64.deb Files: 4c0742c174d8108a1f440ec48c1f9213 2029 libs optional qpdf_8.0.2-3.dsc 43467d8429368a1b3b4fa9d103a79374 13548 libs optional qpdf_8.0.2-3.debian.tar.xz 7144379aac0e692690db7f417b643d5f 406516 libdevel optional libqpdf-dev_8.0.2-3_amd64.deb e2c174729ffab22950b67180e82506f0 3165596 debug optional libqpdf21-dbgsym_8.0.2-3_amd64.deb 351d6a2f66db2f3d3bdf55e130401b44 320252 libs optional libqpdf21_8.0.2-3_amd64.deb 47ea52e1f3c98e86bdb2ab1e622facdd 362412 debug optional qpdf-dbgsym_8.0.2-3_amd64.deb 3cd6ef09c484684770f2317583c79a58 6455 libs optional qpdf_8.0.2-3_amd64.buildinfo daacf9e5d283ec274889476b80cedce9 265768 text optional qpdf_8.0.2-3_amd64.deb -----BEGIN PGP SIGNATURE----- iQIsBAEBCAAWBQJa09KTDxxxamJAZGViaWFuLm9yZwAKCRCKddEJmAEsfijZD/oC 0n6PxKjurRsYncLiHXo6J7S/uoq0AUGREOOycyWUwl44kS2w1AVRZfrps/l0+8Ki 5Tpy4KC2OT456WWavH8OnYt7I0mlN2a6GDPovB86Jrk8VZWEdPJvsl1/FS+QcrCF iMqLXpyk1p3ktW5B6nhy7Np5kL74fCVCpvLbFVcwe/l5jrsuPhRZtD7JlzWcDnar a4WFjRTNDI7xzpaA7pJupbYsSiiDhngD3HJEegux+CyIYKfMh3WWJFqXFuY4bJbT 53s6zCsqYL4slOYKYZVUMtsDZ4YjhTuS5+mgED2xF4RV8YkNnJAU+44IYpSj3bIn NyJ1BoNiBkyM4CvrfPdRCwGtIBhS9nGfuxDc7Pst486sQAya+Aqj4rUZynWke5RG YOX3m7L3XGn5spJVkokciL0ckntUWptZQwlF35+6Mf0dA2sqf9jntElkZaym+G54 heac725P8EIw+MNxFDHwgVqX8DTfa+DhnT0CXtG/T28UgLZ3NrMwh0GsPzqwJo4r TeKPra6gwmLOUDdF7Q0IGKHpIEbScSNxKOz1YNAiZgXbuFVjBsn3xegKkJsDtk8g n5mA9sobX83DqVH+a2zj9lGULtV1/yR5DfUIW02yTnYzMXlkgYw6VnUkgo26bZaB 8jVooY5s15nb66oI7X/7IgH1Zz45hQ9Mu7U5NWeKxQ== =bSD7 -----END PGP SIGNATURE-----
--- End Message ---
