Vulnerabilities > CVE-2021-36978 - Out-of-bounds Write vulnerability in Qpdf Project Qpdf

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

qpdf-project

CWE-787

NVD

Published: 2021-07-20

Updated: 2024-01-15

Summary

QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.

Vulnerable Configurations

Part	Description	Count
Application	Qpdf_Project Qpdf Project Qpdf 10.0.0 Qpdf Project Qpdf 10.0.1 Qpdf Project Qpdf 10.0.2 Qpdf Project Qpdf 10.0.3 Qpdf Project Qpdf 10.0.4 Qpdf Project Qpdf 9.0.0 Qpdf Project Qpdf 9.0.1 Qpdf Project Qpdf 9.0.2 Qpdf Project Qpdf 9.1.0 Qpdf Project Qpdf 9.1.1	11

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262
https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qpdf/OSV-2020-2245.yaml
https://lists.debian.org/debian-lts-announce/2023/08/msg00037.html
https://github.com/qpdf/qpdf/issues/492
https://security.gentoo.org/glsa/202401-20