Your message dated Mon, 28 Aug 2017 06:00:30 +0000
with message-id <[email protected]>
and subject line Bug#871320: fixed in qpdf 7.0~b1-2
has caused the Debian Bug report #871320,
regarding qpdf: CVE-2017-11624 CVE-2017-11625 CVE-2017-11626 CVE-2017-11627
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
871320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qpdf
Version: 5.1.2-2
Severity: important
Tags: patch upstream security
Hi,
the following vulnerabilities were published for qpdf.
CVE-2017-11624[0]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the QPDFTokenizer::resolveLiteral function in
| QPDFTokenizer.cc after two consecutive calls to
| QPDFObjectHandle::parseInternal, aka an "infinite loop."
CVE-2017-11625[1]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the QPDF::resolveObjectsInStream function in QPDF.cc, aka an
| "infinite loop."
CVE-2017-11626[2]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the QPDFTokenizer::resolveLiteral function in
| QPDFTokenizer.cc after four consecutive calls to
| QPDFObjectHandle::parseInternal, aka an "infinite loop."
CVE-2017-11627[3]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the PointerHolder function in PointerHolder.hh, aka an
| "infinite loop."
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11624
[1] https://security-tracker.debian.org/tracker/CVE-2017-11625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11625
[2] https://security-tracker.debian.org/tracker/CVE-2017-11626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11626
[3] https://security-tracker.debian.org/tracker/CVE-2017-11627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11627
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qpdf
Source-Version: 7.0~b1-2
We believe that the bug you reported is fixed in the latest version of
qpdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <[email protected]> (supplier of updated qpdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Aug 2017 12:19:47 -0400
Source: qpdf
Binary: libqpdf18 libqpdf-dev qpdf
Architecture: source amd64
Version: 7.0~b1-2
Distribution: experimental
Urgency: medium
Maintainer: Jay Berkenbilt <[email protected]>
Changed-By: Jay Berkenbilt <[email protected]>
Description:
libqpdf-dev - development files for PDF transformation/inspection library
libqpdf18 - runtime library for PDF transformation/inspection software
qpdf - tools for transforming and inspecting PDF files
Closes: 825246 863390 871320
Changes:
qpdf (7.0~b1-2) experimental; urgency=medium
.
* No code changes from previous upload other than noting that several
bugs are closed. I left this out of the earlier changelog. This
release has many enhancements and fixes many bugs. There are also
several CVE fixes: CVE-2017-11624, CVE-2017-11625, CVE-2017-11626,
CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210. (Closes:
#863390, #871320, #825246). A full listing of the changes in this
version will be included in the release notes of the final 7.0.0
release.
* Change build dependency for libjpeg-dev to leave only virtual package.
Checksums-Sha1:
37608bedcde342fd76053a50add0db7c6062bdc2 1852 qpdf_7.0~b1-2.dsc
168affe836ccabafcfc2b1a00ff4e9df74edb3c6 8892 qpdf_7.0~b1-2.debian.tar.xz
0109e0df6694c79154b0806f1778899cfe96b467 367984 libqpdf-dev_7.0~b1-2_amd64.deb
1a7b33a5df3ffbb4e381be3d38080e38e43fc4ad 2970428
libqpdf18-dbgsym_7.0~b1-2_amd64.deb
a3fb37255825de828092d31ebcc813d762ea2150 304116 libqpdf18_7.0~b1-2_amd64.deb
a79d812e6a7ad2a13dd02687beb6bce630f87e5f 354658 qpdf-dbgsym_7.0~b1-2_amd64.deb
d26a91ab79285d2a0b44b4a69b2bac0d7338f67b 5401 qpdf_7.0~b1-2_amd64.buildinfo
1dda2448915b2f9cd949864cfcb6e13877616e71 245032 qpdf_7.0~b1-2_amd64.deb
Checksums-Sha256:
1bd90c4121663926b84397bf8019e0338c0a314e1f2b238587b70579ab4cb213 1852
qpdf_7.0~b1-2.dsc
926b6ea0ed983bc850b87447a698f3a3d7d1d86903787a9f4732d0b44c369e6f 8892
qpdf_7.0~b1-2.debian.tar.xz
0f1d0f973387958faf094940b899c4137af1cabe50965d3648e142bfe7816f30 367984
libqpdf-dev_7.0~b1-2_amd64.deb
1dfa23bc7da41e347998d39e574f58a3b3940b43b28c5188d8b25c4146c81f84 2970428
libqpdf18-dbgsym_7.0~b1-2_amd64.deb
557eb81cb764bc69d4031730d874a7bedbec97a45548711c5da1c443c2ed1080 304116
libqpdf18_7.0~b1-2_amd64.deb
6d50bb2c633aeace53e8b8ea6406818cee9b20865db7b56733a2042d779e8c4a 354658
qpdf-dbgsym_7.0~b1-2_amd64.deb
91a8f85144d2c09d93f641ab4f3130ca440b4c9b73b89b0f9966a657ae3834a7 5401
qpdf_7.0~b1-2_amd64.buildinfo
5e760b4866b50c56a3da57da0948c7d52dfb72923df8467fec53f17be489b6e8 245032
qpdf_7.0~b1-2_amd64.deb
Files:
8752119fb1bf972c2039f098c79e8462 1852 libs optional qpdf_7.0~b1-2.dsc
02251b86a82c6da2fe84af988f1e34be 8892 libs optional qpdf_7.0~b1-2.debian.tar.xz
19af53bd9ca87af70af86e1dd776e523 367984 libdevel optional
libqpdf-dev_7.0~b1-2_amd64.deb
6d7e6f5e07f1d66a7234a068151add20 2970428 debug extra
libqpdf18-dbgsym_7.0~b1-2_amd64.deb
80e367fbc0aa7194925240a60f5795e8 304116 libs optional
libqpdf18_7.0~b1-2_amd64.deb
7def7313aadcbe68bd66202c6bf86f89 354658 debug extra
qpdf-dbgsym_7.0~b1-2_amd64.deb
3e8223965355d4853eb50ef420ec98c1 5401 libs optional
qpdf_7.0~b1-2_amd64.buildinfo
a52968dbf185eb0b0377c0ef22723a04 245032 text optional qpdf_7.0~b1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIsBAEBCAAWBQJZna7qDxxxamJAZGViaWFuLm9yZwAKCRCKddEJmAEsfh16D/oC
6KWo/HUfUF6D1b/pR4DW4RhSb9hXXCLJoCCF2uqhXn/mkjcIkaswi1wgtRUlTMGs
BOC4GDRTgNW58RylcO5omA7f7kdJsRTF5kdeBWwVH+Ld08wUYl6zkKq8ozRHKYZI
NLCYVixrVriB+b6QPrZB1Jh4iQLQmMwkVhqqcH2gQud3SpIYU5qn/KvT2O9v/Fu3
16tf4SxaHJ00q3BnWXnzkAh9KJrzn5Stgtloj8wjOj6OLyObMWoibpeIw0uZr+Ga
sqZHL11ql6NAw2lRgIdF4+PkNGk2/ZmjCaWfeeQnjz6ti664WZt+CAkknh6N0CVd
1bKBorDScXq7T4YkOc9pa5WY5ggvyNc0sLFYTROnyUxBOlvZzr7k7Cs07OU75lDf
Jn9T6hVrFnM7yXLHpBzNnYAgVss3mqOYQBrRPvA9gw5cNY8g31b7nPrab4JSFZ5B
j5I340xFxKz0Vqq0ULUHDl6bZr4MtHjvgE/ktIk4t4yWFlklwENmh0Vep0FmZyfm
U54+Ac5EQXYRxrB6u4HEuZ6Mb1iwkJFINgT/Ox8VtM8emoa1NIE+6wcI6GUT3+mQ
lsCT265tXYQ7WvajgNUeWcyNS5hLSECILVKmz1o4nMfilTiyQ2XBGJiccfmHfzQY
V/YLcL4ZTnYrl8tnpbFs3Lav4lBRfTI6KCNoyswNtw==
=QMjj
-----END PGP SIGNATURE-----
--- End Message ---
