Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Gentoo: GLSA-202401-20 Normal: QPDF Buffer Overflow Risk

gentoo
Calendar Grey January 15, 2024
Dist Gentoo Esm H88
Investigate the QPDF vulnerability affecting Gentoo systems, and discover effective methods to remediate this issue through system updates, ensuring continued protection.
A vulnerability has been found in QPDF which can lead to a heap-based buffer overflow.

Summary

A vulnerability has been discovered in QPDF. Please review the CVE identifier referenced below for details.

Resolution

All QPDF users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-text/qpdf-10.1.0"

References

[ 1 ] CVE-2021-36978 https://nvd.nist.gov/vuln/detail/CVE-2021-36978

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202401-20
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: QPDF: Buffer Overflow
Date: January 15, 2024
Bugs: #803110
ID: 202401-20

Synopsis

A vulnerability has been found in QPDF which can lead to a heap-based buffer overflow.

Background

QPDF: A content-preserving PDF document transformer.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Package Vulnerable Unaffected ------------- ------------ ------------ app-text/qpdf < 10.1.0 >= 10.1.0

Impact

QPDF has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.

Workaround

There is no known workaround at this time.

Your message here