PublicDateAtUSN: 2017-05-23
Candidate: CVE-2017-9210
PublicDate: 2017-05-23 04:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9210
 http://www.openwall.com/lists/oss-security/2017/05/23/10
 https://blogs.gentoo.org/ago/2017/05/21/qpdf-three-infinite-loop-in-libqpdf/
 https://ubuntu.com/security/notices/USN-3638-1
Description:
 libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of
 service (infinite recursion and stack consumption) via a crafted PDF
 document, related to unparse functions, aka qpdf-infiniteloop3.
Ubuntu-Description:
Notes:
Bugs:
 https://github.com/qpdf/qpdf/issues/101
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863390
Priority: negligible
Discovered-by: Agostino Sarubbo
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N [5.5 MEDIUM]

Patches_qpdf:
 upstream: https://github.com/qpdf/qpdf/commit/603f222365252f1a1e20303b3dbe52466be3053b
upstream_qpdf: released (7.0.0-1)
precise/esm_qpdf: DNE
trusty_qpdf: released (8.0.2-3~14.04.1)
trusty/esm_qpdf: DNE (trusty was released [8.0.2-3~14.04.1])
vivid/ubuntu-core_qpdf: DNE
xenial_qpdf: released (8.0.2-3~16.04.1)
esm-infra/xenial_qpdf: released (8.0.2-3~16.04.1)
zesty_qpdf: ignored (reached end-of-life)
artful_qpdf: not-affected (7.0.0-1)
bionic_qpdf: not-affected (7.0.0-1)
devel_qpdf: not-affected (7.0.0-1)