CVE-2017-9208 — Infinite Loop in Project Qpdf

CWE-835 — Infinite Loop17 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.9%

top 24.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qpdf Project Qpdf Canonical Ubuntu Linux

Timeline

PublishedMay 23

Latest updateMay 13

Description

libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document, related to releaseResolved functions, aka qpdf-infiniteloop1.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶Debianqpdf_project/qpdf< 7.0.0-1+3

▶NVDqpdf_project/qpdf6.0.0

Also affects: Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: blogs.gentoo.org ↗Patch: blogs.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-j36c-72rw-944m: libqpdf↗2022-05-13

▶

CVEList

CVE-2017-9208: libqpdf↗2017-05-23

▶

OSV

CVE-2017-9208: libqpdf↗2017-05-23

▶

📋Vendor Advisories

Ubuntu

QPDF vulnerabilities↗2018-05-07

▶

Red Hat

qpdf: Infinite loop related to releaseResolved functions↗2017-05-21

▶

Debian

CVE-2017-9208: qpdf - libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service (in...↗2017

▶

💬Community

Bugzilla

CVE-2017-11624 qpdf: Infinite loop in QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc [epel-6]↗2017-07-26

▶

Bugzilla

CVE-2017-11626 qpdf: Infinite loop in QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc [fedora-all]↗2017-07-26

▶

Bugzilla

CVE-2017-11624 qpdf: Infinite loop in QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc [fedora-all]↗2017-07-26

▶

Bugzilla

CVE-2017-11627 qpdf: Infinite loop in PointerHolder function in PointerHolder.hh [fedora-all]↗2017-07-26

▶

Bugzilla

CVE-2017-11626 qpdf: Infinite loop in QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc [epel-6]↗2017-07-26

▶