{"id":"CVE-2017-12595","details":"The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc.","modified":"2026-02-24T11:19:55.838958Z","published":"2017-08-27T15:29:00.200Z","related":["MGASA-2018-0145","SUSE-SU-2018:3066-1","SUSE-SU-2018:3066-2","openSUSE-SU-2024:11289-1"],"references":[{"type":"WEB","url":"https://usn.ubuntu.com/3638-1/"},{"type":"ADVISORY","url":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b"},{"type":"ADVISORY","url":"https://github.com/qpdf/qpdf/issues/146"},{"type":"REPORT","url":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b"},{"type":"REPORT","url":"https://github.com/qpdf/qpdf/issues/146"},{"type":"FIX","url":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b"},{"type":"FIX","url":"https://github.com/qpdf/qpdf/issues/146"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qpdf/qpdf","events":[{"introduced":"0"},{"fixed":"ad527a64f93dca12f6aabab2ca99ae5eb352ab4b"}]}],"versions":["release-qpdf-2.0","release-qpdf-2.0.1","release-qpdf-2.0.2","release-qpdf-2.0.3","release-qpdf-2.0.4","release-qpdf-2.0.5","release-qpdf-2.0.6","release-qpdf-2.1","release-qpdf-2.1.1","release-qpdf-2.1.2","release-qpdf-2.1.3","release-qpdf-2.1.4","release-qpdf-2.1.5","release-qpdf-2.1.rc1","release-qpdf-2.2.0","release-qpdf-2.2.1","release-qpdf-2.2.2","release-qpdf-2.2.3","release-qpdf-2.2.4","release-qpdf-2.2.rc1","release-qpdf-2.3.0","release-qpdf-2.3.1","release-qpdf-3.0.0","release-qpdf-3.0.1","release-qpdf-3.0.2","release-qpdf-3.0.rc1","release-qpdf-4.0.0","release-qpdf-4.0.1","release-qpdf-4.1.0","release-qpdf-4.2.0","release-qpdf-5.0.0","release-qpdf-5.0.1","release-qpdf-5.1.0","release-qpdf-5.1.1","release-qpdf-5.1.2","release-qpdf-5.1.3","release-qpdf-5.2.0","release-qpdf-6.0.0","release-qpdf-7.0.b1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12595.json","vanir_signatures":[{"target":{"file":"libqpdf/QPDFObjectHandle.cc","function":"QPDFObjectHandle::parse"},"signature_type":"Function","id":"CVE-2017-12595-0b7f480a","source":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b","digest":{"function_hash":"127423270575725266261908987106965242072","length":218},"deprecated":false,"signature_version":"v1"},{"target":{"file":"libqpdf/QPDFObjectHandle.cc","function":"QPDFObjectHandle::parseInternal"},"signature_type":"Function","id":"CVE-2017-12595-203bb0e8","source":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b","digest":{"function_hash":"222376292313288362129861388753324986043","length":5636},"deprecated":false,"signature_version":"v1"},{"target":{"file":"libqpdf/QPDFObjectHandle.cc","function":"QPDFObjectHandle::parseContentStream_internal"},"signature_type":"Function","id":"CVE-2017-12595-5c63f44f","source":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b","digest":{"function_hash":"68592896909743010763412756146628506893","length":1458},"deprecated":false,"signature_version":"v1"},{"target":{"file":"include/qpdf/QPDFObjectHandle.hh"},"signature_type":"Line","id":"CVE-2017-12595-7a3d9616","source":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b","digest":{"line_hashes":["219956508091858809604694169978602165008","183449769428269352412655741867116949445","65439156689056502178631498475609254605","119451281774679039159845983246789776360"],"threshold":0.9},"deprecated":false,"signature_version":"v1"},{"target":{"file":"libqpdf/QPDFObjectHandle.cc"},"signature_type":"Line","id":"CVE-2017-12595-7ecd2010","source":"https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b","digest":{"line_hashes":["232174649075202836631461316134148150395","145952873503310517240815600129548064092","97364157728667136849273872668994176638","6261263861378634083320536242348531313","268155269199293532695661716444198521625","296443984968267620017845295171909968275","28535131635528644516548287529418955214","144850379068327068009638046305007679369","1965188413788149435555065872843187202","219956508091858809604694169978602165008","292636102528142126901972740312866098428","104422238211848259501336140502658667837","294437549169171542605917387793588991414","189091518735567102081159475736007204454","204446386505657463960359147467834174375","270522005808720460731852180257597171120","52408171288945582620100640851335529978","233467964746630886847768155630105903963","304939674191254631990094351064929272958","91321467866254524838216617329231100706","59919551074254168067004201733601351250","29933515717441277442806117211624454282","153527779988573939433559540530303253148","285960692880156193593443462548527968152","223254257529289896208624893330293186275","77948462109188685167000092770892151260","243509852278844034422311980165702614643","183939847686939820270656451285597714488","98920664930856797169233130797289898578","112560685421528488238336364242271594516","31197558713345235217285535697449879608","1896485810543571314408608412698828830","59285179261078776805298300393097674692","99376791372800036143274708340545802560","32235961380874227696006923550489421684","184335502457884113135630818802898564515","198527567135117949402129102421742359992","110015142695224074098406028947191341190","291844216169507210439119260582004165527","112218546347294582522671630571092078979","273579553806662043900205371706229416425","184335502457884113135630818802898564515","198527567135117949402129102421742359992","239182554172023253005678911140780725512","190937513617141871541593069857921077795","265376192355037001604451631962269275614","242291106990548019185377967700437159534","95464805250088954938400000201358777546","112458573969558981603707259353001599655","272182014161423361618614005554291578749","42226576701191472889259666537970159487","214824190056860831019984509713790758166","26695030923960508493086932717982393431","124819534853171869512160114358382236188","247064575218474560204573918366836341987","234738518821257734802709418851557062271","272247659572680487013308964690398013036","229203804308286596544755326869306199507","12381271891681683301765390928714387245","192544016779172590558541851165711353860","193263649083308106186652522482938089351","216169773093610768407027200007919190409","43692537748959223118374389680315080202","107179447296981242461048127833720033480","275920083895187377091442508617851327354","60031835826907739039690130478627567559","79020974452942336665653674621906445840","135970779399186575047772073870847669902","311876120263857661185081451427950518092","235120213703718655305862422733303859605","850860574685209550758573172653302977","156448082129724727736779583749890937614","115375199637434935815372834047808163644","176138644337273694347125360757453609211","238433655882357577667622849129577959775","110675323525682837101678994628717170167","163228645416198082892570901040431616486","198191628059118952803841353026556122773","59507541619778250721475401421089583722","14123127897050263802892312456346357108","144710694673886013371378034448706266660","205501626892865448222663588877168995954","14398401520333134002850665820964721573","73699900604113038576067076205734668163","79980670186139052742732445548955072854","166829179078620445586807317704615861747","237610873502780496956306138921298749172","172494128936118137009216269231191638161","42913227040228358617679774208458367588","151428728523419797002458951004233075962","261814948250193510698912057627340989263","154179677370428159078082266259553103261","87896345258467210021260469094662815796","160493410317030315919715827995595409542","236175701671116999952098044787186969206","328814765142478214523892049232127886494","130822994288029306716723303906346213396","26651007443051483864983760988737712309","95247601878301933483756242361104446419","259285742247316936525055020253223213432","204422438819122951784377214644760606060","262383201654687490596148727872427971450","57549250819219467828428853466961559594","228286368446343468999845728402973958076","186770363879254020217125646465873217684","178128353701369822568193167947727676150","103935347148426900325689988997923063029","147246315781464470918828045354289534597","302606117294457827836233885017611877296","155515849574381401407360066731143648989","72089665299360914465227826167877282361","34116638281833288940181539800214871074","23973918794109250339680801418633918205","327134164841529362425513430471389198721","240151603759239692139826021230641666929","121776043016191788712412397058531691487","298781128901881220867478430167871896981","96107493789940552444969538321075398672","142292056391247367609242569685748760614","98401972256982361849720499769408331904","261926884824435614219713212637594693023","62841273296586481178094212031328834945","115587728255974303156958050585784214922","335388267505039709404067078223458405460","220644505213764829765037323799449504728","222625398227126390745711116627052105256","37831621269379359845137503573431663220","118115584580906901161318873282047897487","18794312942661344241057624291545833980","7156647395150868665141129910797201740","339176404015242179365116072918832235144","237698600389914363892746365344231916127","217566172507050875130672382841976737379","273190181610603392596736431254723135733","103635486623274555741499828845810350574","116695397805206400907015739896483028265","225274403924603693739798073911464472198","165629998823299512055679060210609091032","222625398227126390745711116627052105256","91649197599389080436370914772081622543","28006643148232508419239684546739034163","218739745706203140490484939476962351020","128216110684401323881093071862097734889","193738863799458687694796948255712056600","174387218020391429395312758980650505852","129254687107910683014279813401619672642","305819501068621745411397029534841394754","247933152075315470992166022753387193669","101272720408140137317144192430112748157","37626054000095117711177146641087493159","38631461410191116912460103536762208627","304284217174687221795202092754144145001","293971089912658017669462810780988985346"],"threshold":0.9},"deprecated":false,"signature_version":"v1"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}