Register | Log in

qpdf

tools for transforming and inspecting PDF files

Choose email to subscribe with

general

source: qpdf (main)
version: 9.0.0-1
maintainer: Jay Berkenbilt (DMD)
arch: any
std-ver: 4.4.0
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.1.2-2
oldstable: 6.0.0-2
old-bpo: 8.0.2-2~bpo9+1
stable: 8.4.0-2
testing: 8.4.2-1
unstable: 9.0.0-1

versioned links

5.1.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.0.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0.2-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.4.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.4.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libqpdf-dev
libqpdf26
qpdf (1 bugs: 0, 1, 0, 0)

action needed

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2018-18020: In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

Please fix it.

Created: 2019-07-07 Last update: 2019-09-05 00:38

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-18020: In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

Please fix it.

Created: 2018-10-06 Last update: 2019-09-05 00:38

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2019-09-10 Last update: 2019-09-16 04:30

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2018-18020: In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

Please fix it.

Created: 2018-10-06 Last update: 2019-09-05 00:38

15 ignored security issues in jessie low

There are 15 open security issues in jessie.

15 issues skipped by the security teams:

CVE-2017-9209: libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.
CVE-2017-11627: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the PointerHolder function in PointerHolder.hh, aka an "infinite loop."
CVE-2018-9918: libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.
CVE-2017-12595: The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc.
CVE-2017-9210: libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to unparse functions, aka qpdf-infiniteloop3.
CVE-2017-9208: libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to releaseResolved functions, aka qpdf-infiniteloop1.
CVE-2017-18183: An issue was discovered in QPDF before 7.0.0. There is an infinite loop in the QPDFWriter::enqueueObject() function in libqpdf/QPDFWriter.cc.
CVE-2017-18186: An issue was discovered in QPDF before 7.0.0. There is an infinite loop due to looping xref tables in QPDF.cc.
CVE-2017-18184: An issue was discovered in QPDF before 7.0.0. There is a stack-based out-of-bounds read in the function iterate_rc4 in QPDF_encryption.cc.
CVE-2017-18185: An issue was discovered in QPDF before 7.0.0. There is a large heap-based out-of-bounds read in the Pl_Buffer::write function in Pl_Buffer.cc. It is caused by an integer overflow in the PNG filter.
CVE-2017-11624: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after two consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."
CVE-2017-11625: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDF::resolveObjectsInStream function in QPDF.cc, aka an "infinite loop."
CVE-2017-11626: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."
CVE-2015-9252: An issue was discovered in QPDF before 7.0.0. Endless recursion causes stack exhaustion in QPDFTokenizer::resolveLiteral() in QPDFTokenizer.cc, related to the QPDF::resolve function in QPDF.cc.
CVE-2018-18020: In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

Please fix them.

Created: 2017-05-23 Last update: 2019-09-05 00:38

15 ignored security issues in stretch low

There are 15 open security issues in stretch.

15 issues skipped by the security teams:

CVE-2017-9209: libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to QPDFObjectHandle::parseInternal, aka qpdf-infiniteloop2.
CVE-2017-11627: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the PointerHolder function in PointerHolder.hh, aka an "infinite loop."
CVE-2018-9918: libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.
CVE-2017-12595: The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc.
CVE-2017-9210: libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to unparse functions, aka qpdf-infiniteloop3.
CVE-2017-9208: libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to releaseResolved functions, aka qpdf-infiniteloop1.
CVE-2017-18183: An issue was discovered in QPDF before 7.0.0. There is an infinite loop in the QPDFWriter::enqueueObject() function in libqpdf/QPDFWriter.cc.
CVE-2017-18186: An issue was discovered in QPDF before 7.0.0. There is an infinite loop due to looping xref tables in QPDF.cc.
CVE-2017-18184: An issue was discovered in QPDF before 7.0.0. There is a stack-based out-of-bounds read in the function iterate_rc4 in QPDF_encryption.cc.
CVE-2017-18185: An issue was discovered in QPDF before 7.0.0. There is a large heap-based out-of-bounds read in the Pl_Buffer::write function in Pl_Buffer.cc. It is caused by an integer overflow in the PNG filter.
CVE-2017-11624: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after two consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."
CVE-2017-11625: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDF::resolveObjectsInStream function in QPDF.cc, aka an "infinite loop."
CVE-2017-11626: A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."
CVE-2015-9252: An issue was discovered in QPDF before 7.0.0. Endless recursion causes stack exhaustion in QPDFTokenizer::resolveLiteral() in QPDFTokenizer.cc, related to the QPDF::resolve function in QPDF.cc.
CVE-2018-18020: In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

Please fix them.

Created: 2017-05-23 Last update: 2019-09-05 00:38

testing migrations

This package is part of the ongoing testing transition known as auto-qpdf. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for qpdf (8.4.2-1 to 9.0.0-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Not built on buildd: arch amd64 binaries uploaded by qjb
- missing build on arm64
- missing build on armel
- missing build on armhf
- missing build on ppc64el
- missing build on s390x
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/q/qpdf.html
- 11 days old (needed 5 days)
- Not considered

news

[2019-09-04] Accepted qpdf 9.0.0-1 (source amd64) into unstable, unstable (Jay Berkenbilt)
[2019-08-20] qpdf 8.4.2-1 MIGRATED to testing (Debian testing watch)
[2019-05-18] Accepted qpdf 8.4.2-1 (source amd64) into unstable (Jay Berkenbilt)
[2019-04-28] Accepted qpdf 8.4.1-1 (source amd64) into unstable (Jay Berkenbilt)
[2019-02-19] qpdf 8.4.0-2 MIGRATED to testing (Debian testing watch)
[2019-02-08] Accepted qpdf 8.4.0-2 (source amd64) into unstable (Jay Berkenbilt)
[2019-02-08] qpdf 8.4.0-1 MIGRATED to testing (Debian testing watch)
[2019-02-02] Accepted qpdf 8.4.0-1 (source amd64) into unstable (Jay Berkenbilt)
[2019-01-23] qpdf 8.3.0-2 MIGRATED to testing (Debian testing watch)
[2019-01-17] Accepted qpdf 8.3.0-2 (source amd64) into unstable (Jay Berkenbilt)
[2019-01-13] qpdf 8.3.0-1 MIGRATED to testing (Debian testing watch)
[2019-01-08] Accepted qpdf 8.3.0-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-08-24] qpdf 8.2.1-1 MIGRATED to testing (Debian testing watch)
[2018-08-18] Accepted qpdf 8.2.1-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-08-18] Accepted qpdf 8.2.0-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-06-28] qpdf 8.1.0-1 MIGRATED to testing (Debian testing watch)
[2018-06-23] Accepted qpdf 8.1.0-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-04-21] qpdf 8.0.2-3 MIGRATED to testing (Debian testing watch)
[2018-04-15] Accepted qpdf 8.0.2-3 (source amd64) into unstable (Jay Berkenbilt)
[2018-04-11] Accepted qpdf 8.0.2-2~bpo9+1 (amd64 source) into stretch-backports, stretch-backports (Sean Whitton)
[2018-03-30] qpdf 8.0.2-2 MIGRATED to testing (Debian testing watch)
[2018-03-30] qpdf 8.0.2-2 MIGRATED to testing (Debian testing watch)
[2018-03-25] Accepted qpdf 8.0.2-2 (source amd64) into unstable (Jay Berkenbilt)
[2018-03-12] qpdf 8.0.2-1 MIGRATED to testing (Debian testing watch)
[2018-03-06] Accepted qpdf 8.0.2-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-03-04] Accepted qpdf 8.0.1-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-03-03] qpdf 8.0.0-1 MIGRATED to testing (Debian testing watch)
[2018-02-25] Accepted qpdf 8.0.0-1 (source amd64) into unstable (Jay Berkenbilt)
[2018-02-21] Accepted qpdf 8.0~a1-1 (source amd64) into experimental, experimental (Jay Berkenbilt)
[2018-02-10] qpdf 7.1.1-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.4.2-1
3 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing