1545288 – (CVE-2017-18186) CVE-2017-18186 qpdf: infinite loop due to looping xref tables in QPDF.cc

Bug 1545288 (CVE-2017-18186) - CVE-2017-18186 qpdf: infinite loop due to looping xref tables in QPDF.cc

Summary: CVE-2017-18186 qpdf: infinite loop due to looping xref tables in QPDF.cc

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-18186
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1554733 1554734
Blocks:	1545293
TreeView+	depends on / blocked

Reported:	2018-02-14 14:37 UTC by Laura Pardo
Modified:	2021-02-17 00:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	qpdf 7.1.1
Doc Type:	If docs needed, set a value
Doc Text:	A denial of service flaw was found in the way QPDF parsed PDF files. An attacker could potentially use this flaw to cause QPDF to enter an infinite loop by tricking it into processing crafted QPDF files.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:40:03 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-02-14 14:37:14 UTC

A flaw was found in QPDF before 7.0.0. There is an infinite loop due to looping xref tables in QPDF.cc. This allows an attacker to cause a denial of service via a crafted file.


External References:

https://github.com/qpdf/qpdf/issues/149

Upstream Patch:

https://github.com/qpdf/qpdf/commit/85f05cc57ffa0a863d9d9b23e73acea9410b2937

Note You need to log in before you can comment on or make changes to this bug.