Vulnerability roundup 53: qpdf-8.2.1: 1 advisory

[ckauhaus]

search, files

• CVE-2018-18020 (nixos-unstable, nixos-18.09)

Scanned versions: nixos-unstable: 80738ed; nixos-18.09: 5d4a1a3. May contain false positives.

[periklis]

According to the open issue on the project repo it has a cap on 500 levels of recursive calls and then it will abort. Imho we can neglect this issue.

[c0bw3b]

Agreed. CVSSv3 score of 3.3 and worst case scenario is the app hangs for 10min.
It should be safe to just wait for the next release.

[NicoleG25]

Hi, was this issue ever fixed in the next release and if so what version? thank you ! :)

[c0bw3b]

Hi,
According to upstream issue it was fixed in the 9.x branch, which started on September 1st (v9.0.0).
Current release is v9.1.0.

[NicoleG25]

Hi,
According to upstream issue it was fixed in the 9.x branch, which started on September 1st (v9.0.0).
Current release is v9.1.0.

Could you possibly point me to the commit fixing the issue?
Thanks !

[ckauhaus]

qpdf was last updated to 9.1.0 in 5a0c2f2 (master -> will become 20.03). The update before that was in 12c9003 which unfortunately did not make it into 19.09. HTH