Important: qpdf

Issue Overview:

2024-01-17: CVE-2021-36978 was added to this advisory.

An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf. (CVE-2021-25786)

QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails. (CVE-2021-36978)

Affected Packages:

qpdf

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update qpdf to update your system.

New Packages:

aarch64:  
    qpdf-5.0.1-4.amzn2.0.2.aarch64  
    qpdf-libs-5.0.1-4.amzn2.0.2.aarch64  
    qpdf-devel-5.0.1-4.amzn2.0.2.aarch64  
    qpdf-debuginfo-5.0.1-4.amzn2.0.2.aarch64  
  
i686:  
    qpdf-5.0.1-4.amzn2.0.2.i686  
    qpdf-libs-5.0.1-4.amzn2.0.2.i686  
    qpdf-devel-5.0.1-4.amzn2.0.2.i686  
    qpdf-debuginfo-5.0.1-4.amzn2.0.2.i686  
  
noarch:  
    qpdf-doc-5.0.1-4.amzn2.0.2.noarch  
  
src:  
    qpdf-5.0.1-4.amzn2.0.2.src  
  
x86_64:  
    qpdf-5.0.1-4.amzn2.0.2.x86_64  
    qpdf-libs-5.0.1-4.amzn2.0.2.x86_64  
    qpdf-devel-5.0.1-4.amzn2.0.2.x86_64  
    qpdf-debuginfo-5.0.1-4.amzn2.0.2.x86_64  

Additional References

Red Hat: CVE-2021-25786, CVE-2021-36978

Mitre: CVE-2021-25786, CVE-2021-36978