Date: Fri, 18 Oct 2013 16:50:16 -0400 From: Jay Berkenbilt <ejb@...org> To: oss-security@...ts.openwall.com Subject: qpdf 5.0.1 has some security fixes I have released qpdf 5.0.1 today. This release includes some security fixes and hardening changes as suggested by Florian Weimer of Red Hat. Red Hat's security team analyzed the software and decided that there were no issues serious enough to warrant issuing any CVEs or creating any embargoed issues, so all the fixes are published on https://github.com/qpdf/qpdf Here are the commits that are relevant: ac9c1f0 Security: replace operator with at 4229457 Security: use a secure random number generator 0bfe902 Security: avoid pre-allocating vectors based on file data 10bceb5 Security: sanitize /W in xref stream 3eb4b06 Security: better bounds checks for linearization data b097d7a Security: handle empty name in normalizeName eb1b126 Security: fix potential multiplication overflow c2e91d8 Security: keep cur_byte pointing into bytes array 5.0.0 and earlier used random() or rand() from the standard library for random numbers, but the TODO file for qpdf had mentioned this from the beginning. qpdf 5.0.1 uses /dev/urandom on Linux MS Windows Crypto on Windows, and tries to find a suitable random device for other platforms. It can fall back to insecure random only when configured with --enable-insecure-random. Since there are no CVEs issued for this, I have not provided backports to other versions that some distributions may contain, but I was able to backport the changes into the 2.x releases in a throw-away branch. The "replace operator with at" change was programmatically generated and wouldn't make sense to backport. Instead, it could be regenerated for older versions. If any distributions decide that they want to issue security bulletins for any of these issues, I can assist with doing backports. To my knowledge, qpdf is a leaf node in every distribution that carries any version older than 4.0.0, which is the first version that was a dependency of open printing. Most of the issues found in the qpdf code were in parts of the code that are not used by open printing. That said, the changes can be relatively easily backported to versions as recent as that. For any debian security team members who may receive this, I have already upload qpdf 5.0.1 to debian unstable. -- Jay Berkenbilt <ejb@...org>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.