Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 Oct 2013 16:50:16 -0400
From: Jay Berkenbilt <>
Subject: qpdf 5.0.1 has some security fixes

I have released qpdf 5.0.1 today.  This release includes some security
fixes and hardening changes as suggested by Florian Weimer of Red Hat.
Red Hat's security team analyzed the software and decided that there
were no issues serious enough to warrant issuing any CVEs or creating
any embargoed issues, so all the fixes are published on

Here are the commits that are relevant:

ac9c1f0 Security: replace operator[] with at
4229457 Security: use a secure random number generator
0bfe902 Security: avoid pre-allocating vectors based on file data
10bceb5 Security: sanitize /W in xref stream
3eb4b06 Security: better bounds checks for linearization data
b097d7a Security: handle empty name in normalizeName
eb1b126 Security: fix potential multiplication overflow
c2e91d8 Security: keep cur_byte pointing into bytes array

5.0.0 and earlier used random() or rand() from the standard library for
random numbers, but the TODO file for qpdf had mentioned this from the
beginning.  qpdf 5.0.1 uses /dev/urandom on Linux MS Windows Crypto on
Windows, and tries to find a suitable random device for other
platforms.  It can fall back to insecure random only when configured
with --enable-insecure-random.

Since there are no CVEs issued for this, I have not provided backports
to other versions that some distributions may contain, but I was able to
backport the changes into the 2.x releases in a throw-away branch.  The
"replace operator[] with at" change was programmatically generated and
wouldn't make sense to backport.  Instead, it could be regenerated for
older versions.  If any distributions decide that they want to issue
security bulletins for any of these issues, I can assist with doing
backports.  To my knowledge, qpdf is a leaf node in every distribution
that carries any version older than 4.0.0, which is the first version
that was a dependency of open printing.  Most of the issues found in the
qpdf code were in parts of the code that are not used by open printing.
That said, the changes can be relatively easily backported to versions
as recent as that.

For any debian security team members who may receive this, I have
already upload qpdf 5.0.1 to debian unstable.

Jay Berkenbilt <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.