Updated qpdf packages fix security vulnerabilities
Publication date: 26 Feb 2018Modification date: 26 Feb 2018
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-11624 , CVE-2017-11625 , CVE-2017-11626 , CVE-2017-11627 , CVE-2017-12595 , CVE-2017-9208 , CVE-2017-9209 , CVE-2017-9210
Description
Updated qpdf packages fix security vulnerabilities:
1. Stack overflow due to endless recursion in QPDFTokenizer::resolveLiteral()
2. Another stack overflow / endless recursion in QPDFWriter::enqueueObject()
3. Stack out of bounds read in iterate_rc4()
4. heap out of bounds read (large) in Pl_Buffer::write
5. Hang due to a pdf xref loop:
Also, the libjpeg package has been patched to provide pkgconfig files, so that
cups-filters could be rebuilt against this qpdf update.
References
- https://bugs.mageia.org/show_bug.cgi?id=22648
- http://openwall.com/lists/oss-security/2018/02/13/2
- https://lists.opensuse.org/opensuse-updates/2018-02/msg00056.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11624
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11625
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11626
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11627
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12595
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9208
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9209
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9210
SRPMS
5/core
- qpdf-7.1.1-1.mga5
- libjpeg-1.3.1-4.3.mga5
- cups-filters-1.0.71-1.4.mga5