Mageia alert MGASA-2018-0145 (qpdf)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2018-0145: Updated qpdf packages fix security vulnerabilities | |
| Date: | Mon, 26 Feb 2018 17:24:05 +0100 | |
| Message-ID: | <20180226162405.5311F9FD6E@duvel.mageia.org> |
MGASA-2018-0145 - Updated qpdf packages fix security vulnerabilities Publication date: 26 Feb 2018 URL: https://advisories.mageia.org/MGASA-2018-0145.html Type: security Affected Mageia releases: 5 CVE: CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-12595, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210 Description: Updated qpdf packages fix security vulnerabilities: 1. Stack overflow due to endless recursion in QPDFTokenizer::resolveLiteral() 2. Another stack overflow / endless recursion in QPDFWriter::enqueueObject() 3. Stack out of bounds read in iterate_rc4() 4. heap out of bounds read (large) in Pl_Buffer::write 5. Hang due to a pdf xref loop: Also, the libjpeg package has been patched to provide pkgconfig files, so that cups-filters could be rebuilt against this qpdf update. References: - https://bugs.mageia.org/show_bug.cgi?id=22648 - http://openwall.com/lists/oss-security/2018/02/13/2 - https://lists.opensuse.org/opensuse-updates/2018-02/msg00... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9208 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9209 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9210 SRPMS: - 5/core/qpdf-7.1.1-1.mga5 - 5/core/libjpeg-1.3.1-4.3.mga5 - 5/core/cups-filters-1.0.71-1.4.mga5