Merge commit '2b03edb1da4080468b7bb7a363ee71c9314bdf84'

author: Repository mirror & CI <repomirrorci@gentoo.org> 2024-01-15 13:18:13 +0000
committer: Repository mirror & CI <repomirrorci@gentoo.org> 2024-01-15 13:18:13 +0000
commit: 0d3286fb658333b0771276be00de601a90e7dfa4 (patch)
tree: dc3a2ed0181ac50e8e86d7a32eb4c18d3983f20c /metadata/glsa
parent: Merge updates from master (diff)
parent: [ GLSA 202401-20 ] QPDF: Buffer Overflow (diff)
download: gentoo-0d3286fb658333b0771276be00de601a90e7dfa4.tar.gz
gentoo-0d3286fb658333b0771276be00de601a90e7dfa4.tar.bz2
gentoo-0d3286fb658333b0771276be00de601a90e7dfa4.zip
1 files changed, 42 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202401-20.xml b/metadata/glsa/glsa-202401-20.xml
new file mode 100644
index 000000000000..7600622922d9
--- /dev/null
+++ b/metadata/glsa/glsa-202401-20.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-20">
+    <title>QPDF: Buffer Overflow</title>
+    <synopsis>A vulnerability has been found in QPDF which can lead to a heap-based buffer overflow.</synopsis>
+    <product type="ebuild">qpdf</product>
+    <announced>2024-01-15</announced>
+    <revised count="1">2024-01-15</revised>
+    <bug>803110</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-text/qpdf" auto="yes" arch="*">
+            <unaffected range="ge">10.1.0</unaffected>
+            <vulnerable range="lt">10.1.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>QPDF: A content-preserving PDF document transformer.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in QPDF. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>QPDF has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All QPDF users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-text/qpdf-10.1.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36978">CVE-2021-36978</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-15T13:05:16.102082Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-15T13:05:16.105037Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
author	Repository mirror & CI <repomirrorci@gentoo.org>	2024-01-15 13:18:13 +0000
committer	Repository mirror & CI <repomirrorci@gentoo.org>	2024-01-15 13:18:13 +0000
commit	0d3286fb658333b0771276be00de601a90e7dfa4 (patch)
tree	dc3a2ed0181ac50e8e86d7a32eb4c18d3983f20c /metadata/glsa
parent	Merge updates from master (diff)
parent	[ GLSA 202401-20 ] QPDF: Buffer Overflow (diff)
download	gentoo-0d3286fb658333b0771276be00de601a90e7dfa4.tar.gz gentoo-0d3286fb658333b0771276be00de601a90e7dfa4.tar.bz2 gentoo-0d3286fb658333b0771276be00de601a90e7dfa4.zip