PublicDateAtUSN: 2018-04-10
Candidate: CVE-2018-9918
PublicDate: 2018-04-10 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9918
 https://ubuntu.com/security/notices/USN-3638-1
Description:
 libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key
 but found non-name object" cases, allowing remote attackers to cause a
 denial of service (stack exhaustion), related to the QPDFObjectHandle and
 QPDF_Dictionary classes, because nesting in direct objects is not
 restricted.
Ubuntu-Description:
Notes:
Bugs:
 https://github.com/qpdf/qpdf/issues/202
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895443
Priority: low
Discovered-by: Vítor Silva
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_qpdf:
 upstream: https://github.com/qpdf/qpdf/commit/b4d6cf6836ce025ba1811b7bbec52680c7204223
upstream_qpdf: needs-triage
precise/esm_qpdf: DNE
trusty_qpdf: released (8.0.2-3~14.04.1)
trusty/esm_qpdf: DNE (trusty was released [8.0.2-3~14.04.1])
xenial_qpdf: released (8.0.2-3~16.04.1)
esm-infra/xenial_qpdf: released (8.0.2-3~16.04.1)
artful_qpdf: released (8.0.2-3~17.10.1)
bionic_qpdf: not-affected (8.0.2-3)
devel_qpdf: not-affected (8.0.2-3)