tags 871320 - patch tags 871320 + fixed-upstream tags 863390 + fixed-upstream thanks
The seven CVE issues reported against QPDF have all been fixed upstream, and the fixes will be included in qpdf 7.0.0 to be released this summer. The bugs are reported in the following github issues https://github.com/qpdf/qpdf/issues/99: CVE-2017-9208 https://github.com/qpdf/qpdf/issues/100: CVE-2017-9209 https://github.com/qpdf/qpdf/issues/101: CVE-2017-9210 https://github.com/qpdf/qpdf/issues/117: CVE-2017-11624 https://github.com/qpdf/qpdf/issues/118: CVE-2017-11627 https://github.com/qpdf/qpdf/issues/119: CVE-2017-11626 https://github.com/qpdf/qpdf/issues/120: CVE-2017-11625 and are collectively fixed by the following five commits: 603f222365252f1a1e20303b3dbe52466be3053b 315092dd98d5230ef0efa18b294d464d0e9f79d0 afe0242b263a9e1a8d51dd81e42ab6de2e5127eb 701b518d5c56a1449825a3a37a716c58e05e1c3e ac3c81a8edcb44e2669485630d6718c96a6ad6e9 HOWEVER, two of these commits break binary compatibility. In one case (315092dd98d5230ef0efa18b294d464d0e9f79d0), the problem addressed is also fixed by another commit, so that commit can be omitted. However, in the case of 701b518d5c56a1449825a3a37a716c58e05e1c3e, I don't have a way to fix it without either introducing thread safety issues (by introducing a static variable) or breaking binary compatibility. While the various bugs all exposed minor weaknesses in the error handling, all seven problems ultimately result from the problem addressed by 701b518d5c56a1449825a3a37a716c58e05e1c3e. As such, backporting these fixes to qpdf 5.x and 6.x is not practical. These bugs are all caused by qpdf failing to handle objects that are self-referential in unusual ways. The files provided to reproduce the issues are not valid PDF files and wouldn't be accepted by other PDF readers either. This is not to say that these aren't real security issues, but it is to say that actual users are not likely to encounter such files in the wild during their ordinary operations. I think this is a good justification for the severity of these issues being "important" rather than "serious". I have pushed a ref to github (refs/attic/v5-cve-backports) that backports the fixes to version 5. With trivial conflicts, it also applies to version 6. However, the changes in that form introduce thread safety issues, so I am not going to apply them. I will tag these bugs as fixed when I package 7.0.0 for debian, but they will remain applicable to older versions. -- Jay Berkenbilt <q...@debian.org>
