Bin2415

**Name of the Vulnerable Software and Affected Versions** QPDF version 10.0.4 **Description** An issue was discovered in QPDF, allowing remote attackers to execute arbitrary code via a crafted .pdf file. The `Pl ASCII85Decoder::write` parameter in libqpdf is vulnerable to this attack. **Recommendations** For QPDF version 10.0.4, consider disabling the `Pl ASCII85Decoder::write` function until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QPDF versions 9.x through 9.1.1 QPDF versions 10.x through 10.0.4 **Description** The issue is a heap-based buffer overflow in `Pl ASCII85Decoder::write`, which is called from `Pl AES PDF::flush` and `Pl AES PDF::finish`, occurring when a certain downstream write fails. **Recommendations** For QPDF versions 9.x through 9.1.1, update to a version later than 9.1.1 to resolve the issue. For QPDF versions 10.x through 10.0.4, update to a version later than 10.0.4 to resolve the issue. As a temporary workaround, consider restricting the use of the `Pl ASCII85Decoder::write` function until a patch is available.