1545278 – (CVE-2017-18184) CVE-2017-18184 qpdf: out-of-bounds read in iterate_rc4 in QPDF_encryption.cc

Bug 1545278 (CVE-2017-18184) - CVE-2017-18184 qpdf: out-of-bounds read in iterate_rc4 in QPDF_encryption.cc

Summary: CVE-2017-18184 qpdf: out-of-bounds read in iterate_rc4 in QPDF_encryption.cc

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-18184
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1554698 1554700
Blocks:	1545293
TreeView+	depends on / blocked

Reported:	2018-02-14 14:23 UTC by Laura Pardo
Modified:	2021-02-17 00:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	qpdf 7.1.1
Doc Type:	If docs needed, set a value
Doc Text:	A stack-based out-of-bounds read flaw was found in the way QPDF parsed PDF files. An attacker could potentially use this flaw to crash QPDF, under certain conditions, by tricking it into processing crafted QPDF files.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:40:01 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-02-14 14:23:07 UTC

A flaw was found in QPDF before 7.1.1 There is a stack-based out-of-bounds read in the function iterate_rc4 in QPDF_encryption.cc. This allows an attacker to cause a denial of service via a crafted file.

External References:

https://github.com/qpdf/qpdf/issues/147

Upstream Patch:

https://github.com/qpdf/qpdf/commit/dea704f0ab7f625e1e7b3f9a1110b45b63157317

Note You need to log in before you can comment on or make changes to this bug.