CVE-2017-12595 (retired)

Priority
Description
The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and
dictionaries, which allows remote attackers to cause a denial of service
(stack consumption and segmentation fault) or possibly have unspecified
other impact via a PDF document with a deep data structure, as demonstrated
by a crash in QPDFObjectHandle::parseInternal in
libqpdf/QPDFObjectHandle.cc.
Notes
 mdeslaur> this patch breaks ABI
Assigned-to
mdeslaur
Package
Source: qpdf (LP Ubuntu Debian)
Upstream:released (7.0.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8.0.2-3~16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (7.0.0-1)
Patches:
Upstream:https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b
Upstream:https://github.com/qpdf/qpdf/commit/728dc9e6d8975eebbbc0f5b35628b57d273ffe2d
More Information

Updated: 2019-09-19 16:01:40 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)