CVE-2021-36978 : Security Advisory and Response

QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.

Understanding CVE-2021-36978

This CVE involves a heap-based buffer overflow vulnerability in QPDF versions 9.x through 9.1.1 and 10.x through 10.0.4.

What is CVE-2021-36978?

CVE-2021-36978 is a vulnerability in QPDF that allows an attacker to trigger a heap-based buffer overflow by exploiting specific functions within the software.

The Impact of CVE-2021-36978

This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target system, potentially leading to a complete compromise of the system's security.

Technical Details of CVE-2021-36978

The technical details of CVE-2021-36978 include:

Vulnerability Description

The vulnerability arises in the Pl_ASCII85Decoder::write function, which is called from Pl_AES_PDF::flush and Pl_AES_PDF::finish, when a particular downstream write operation fails.

Affected Systems and Versions

QPDF versions 9.x through 9.1.1 and 10.x through 10.0.4 are affected by this vulnerability.

Exploitation Mechanism

An attacker can exploit this vulnerability by triggering the heap-based buffer overflow in the specified functions of the affected QPDF versions.

Mitigation and Prevention

To address CVE-2021-36978, follow these steps:

Immediate Steps to Take

Update QPDF to a patched version that addresses the buffer overflow vulnerability.
Monitor security advisories from QPDF for any further updates.

Long-Term Security Practices

Implement regular software updates and patch management procedures.
Conduct security testing and code reviews to identify vulnerabilities.

Patching and Updates

Refer to the following resources for patches and updates:

QPDF GitHub Issue
QPDF GitHub Commit
OSV-2020-2245.yaml
Debian Security Update
Gentoo GLSA-202401-20 Advisory