Bug#871320: marked as done (qpdf: CVE-2017-11624 CVE-2017-11625 CVE-2017-11626 CVE-2017-11627)

[Debian Bug Tracking System]

Your message dated Mon, 28 Aug 2017 06:00:31 +0000
with message-id <e1dmd67-000ahy...@fasolo.debian.org>
and subject line Bug#871320: fixed in qpdf 7.0~b1-3
has caused the Debian Bug report #871320,
regarding qpdf: CVE-2017-11624 CVE-2017-11625 CVE-2017-11626 CVE-2017-11627
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871320
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: qpdf
Version: 5.1.2-2
Severity: important
Tags: patch upstream security

Hi,

the following vulnerabilities were published for qpdf.

CVE-2017-11624[0]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the QPDFTokenizer::resolveLiteral function in
| QPDFTokenizer.cc after two consecutive calls to
| QPDFObjectHandle::parseInternal, aka an "infinite loop."

CVE-2017-11625[1]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the QPDF::resolveObjectsInStream function in QPDF.cc, aka an
| "infinite loop."

CVE-2017-11626[2]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the QPDFTokenizer::resolveLiteral function in
| QPDFTokenizer.cc after four consecutive calls to
| QPDFObjectHandle::parseInternal, aka an "infinite loop."

CVE-2017-11627[3]:
| A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0,
| which allows attackers to cause a denial of service via a crafted file,
| related to the PointerHolder function in PointerHolder.hh, aka an
| "infinite loop."

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11624
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11624
[1] https://security-tracker.debian.org/tracker/CVE-2017-11625
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11625
[2] https://security-tracker.debian.org/tracker/CVE-2017-11626
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11626
[3] https://security-tracker.debian.org/tracker/CVE-2017-11627
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11627

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: qpdf
Source-Version: 7.0~b1-3

We believe that the bug you reported is fixed in the latest version of
qpdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <q...@debian.org> (supplier of updated qpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 24 Aug 2017 21:40:57 -0400
Source: qpdf
Binary: libqpdf18 libqpdf-dev qpdf
Architecture: source amd64
Version: 7.0~b1-3
Distribution: experimental
Urgency: medium
Maintainer: Jay Berkenbilt <q...@debian.org>
Changed-By: Jay Berkenbilt <q...@debian.org>
Description:
 libqpdf-dev - development files for PDF transformation/inspection library
 libqpdf18  - runtime library for PDF transformation/inspection software
 qpdf       - tools for transforming and inspecting PDF files
Closes: 825246 863390 871320
Changes:
 qpdf (7.0~b1-3) experimental; urgency=medium
 .
   * Redo debian rules to use dh over cdbs.
   * 7.0~b1 closes several bugs. (Closes: #863390, #871320, #825246)
Checksums-Sha1:
 b5b7e32f703c065c6ec4c403445b0139b02fc851 1825 qpdf_7.0~b1-3.dsc
 7e0bdc3db365266840fd9cd46e9fd47691140759 8932 qpdf_7.0~b1-3.debian.tar.xz
 b01866f25b0fe405052f414d50d05b75c09500c9 375472 libqpdf-dev_7.0~b1-3_amd64.deb
 2e89f0e094a64c94c62044778bd06c344d5be0b5 2970990 
libqpdf18-dbgsym_7.0~b1-3_amd64.deb
 bd0126cae77cf2783f3a3ebade654ee2d2f21731 299340 libqpdf18_7.0~b1-3_amd64.deb
 74b95b7959bd22d6e0e1ebc9e3a4a5eef6d6d1c2 354648 qpdf-dbgsym_7.0~b1-3_amd64.deb
 72913c75a88b8d39b36bdd1e0e53fd80d978bb2a 5382 qpdf_7.0~b1-3_amd64.buildinfo
 5dcc54f7f36ed315a30a1302d9d2ffcaf1067726 239866 qpdf_7.0~b1-3_amd64.deb
Checksums-Sha256:
 8fadd9b94b7e434bace958bafeddaa1539d409dca7c5b29363b425342fcfb882 1825 
qpdf_7.0~b1-3.dsc
 07d4c869844bae2849c27c0f3c1f99c058f19902fe48ad9cf1adade50d40f0c7 8932 
qpdf_7.0~b1-3.debian.tar.xz
 77838a3b073f0c2bfb77b92e0adf265cf96684c719da90f3921ca82832914a1b 375472 
libqpdf-dev_7.0~b1-3_amd64.deb
 bcf7cc4ab3da1bf64d91024eac3f55778810493c9dd316631dabdbf68a1a083e 2970990 
libqpdf18-dbgsym_7.0~b1-3_amd64.deb
 4c0c730a5fe370c75b216783a92ca484c34a95fd20373f39400369294076548f 299340 
libqpdf18_7.0~b1-3_amd64.deb
 048a3f490c7fc5e8acb6bdaa2e8e39b9bd843b20bd89c345eaab00995ce6f5ad 354648 
qpdf-dbgsym_7.0~b1-3_amd64.deb
 e604d97998f0f922557952fc999ab2089d086288816a150c8ba36dc8b73849bb 5382 
qpdf_7.0~b1-3_amd64.buildinfo
 2e910ff1e32c29fe10dcc8c920cd780bfcdac4fad18df27996677f6a814e8605 239866 
qpdf_7.0~b1-3_amd64.deb
Files:
 fb59107a64dea63abb8f0c8f808a5ed8 1825 libs optional qpdf_7.0~b1-3.dsc
 c6c12d5ea7de8226c0c7f597bc9b87ca 8932 libs optional qpdf_7.0~b1-3.debian.tar.xz
 b7205e0ba995e91e0ffb024bff18d042 375472 libdevel optional 
libqpdf-dev_7.0~b1-3_amd64.deb
 e655124d32d4712a1b57c154179822e6 2970990 debug extra 
libqpdf18-dbgsym_7.0~b1-3_amd64.deb
 cd614de7abaa1eb889d86d4c79e4f632 299340 libs optional 
libqpdf18_7.0~b1-3_amd64.deb
 970332f42792dd613d49c77a36d5cb62 354648 debug extra 
qpdf-dbgsym_7.0~b1-3_amd64.deb
 2825627d56640d9a66eef524d5e49b07 5382 libs optional 
qpdf_7.0~b1-3_amd64.buildinfo
 ac1b965b305d8cdd021accd296b5fb9d 239866 text optional qpdf_7.0~b1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIsBAEBCAAWBQJZn4R/DxxxamJAZGViaWFuLm9yZwAKCRCKddEJmAEsfmf4D/90
g7VEX+TAd102fyvWzj7gGNwxeH7wRJAG1lYPu6tXdEu9q1U7MtxbOFnX1VrwRIWC
NwjlTJSYjactGF+MhX+TwAEK9lQtJsTfU3GH5iKPLNUM3OKi2Q3bwGVdWj4eEUkT
8Pz+Ka6CD96in7ituHp9rM+B1s4TZfx5gNmRLWeueLh0BvAT93q6Lm6woOn9H2q4
HeAYIdRCeJr2Sx6iqE8Ue3i88ZKAevJv47TIEgj2OpTaoVpAg8yQp9RJXhvJ1zq9
1AQtnE4cAA+A75XmdbdMiwMcx/LebENGubfdQoJkCsHsZGPSN7gRJAr6BM5ecXwY
+advRwiC9hRE+sr0E2O0Y4cQHraUKsPUB9IGBeLxzHLtymncbICWlqzlsXisSppX
jhv3rjTXBUe/EHOHPT+LKalb+zQbE5rTRUU5VIBqcfNHyDLbcJ+UiFcYxGwkFOS6
/ypLvLP7jhW2zAVkbBVXmZImQl4rn3vEL+a9X0S0TKNeACciv59k3lQOOAezB1/b
bfnc6XOS3XHeujVv3jxBNH6A5Qrg2faDh7AlSZb3pl2BIKw4sNvrHSqyXu3wlzoU
SxFFx9fttAblQlcjdbKc2T4pBxFG3ahhWnWoWxC7SWm/KcGnwPSw7frgp/v0Pran
F/cpOpHuuaEQh1fgFNfEI16xWOODx5E8vaHhmfVbAQ==
=5/SJ
-----END PGP SIGNATURE-----

--- End Message ---