CVE-2018-9918

Published: 10 April 2018

libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
qpdf
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.0.2-3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (8.0.2-3~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [8.0.2-3~14.04.1])
Patches:
Upstream: https://github.com/qpdf/qpdf/commit/b4d6cf6836ce025ba1811b7bbec52680c7204223