Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738836 (CVE-2018-11797, CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812) - <dev-java/pdfbox-2.0.24: multiple DoS vulnerabilities (CVE-2018-11797, CVE-2021-{27807,27906,31811,31812})
Summary: <dev-java/pdfbox-2.0.24: multiple DoS vulnerabilities (CVE-2018-11797, CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2018-11797, CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on: 803542 824042
Blocks:
  Show dependency tree
 
Reported: 2020-08-24 16:03 UTC by Sam James
Modified: 2021-12-01 01:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-24 16:03:56 UTC
* CVE-2018-11797

Description:
"In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-24 16:05:40 UTC
Patch: https://svn.apache.org/viewvc?view=revision&revision=1842278

Looks like 1.8.16 exists?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-21 00:43:33 UTC
CVE-2021-27807:

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions.

CVE-2021-27906:

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 12:35:14 UTC
CVE-2021-31811:

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading 
the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

This issue is being tracked as PDFBOX-5177

CVE-2021-31812:

A carefully crafted PDF file can trigger an infinite loop while loading the 
file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Comment 4 Larry the Git Cow gentoo-dev 2021-11-16 08:37:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=660b5533eab8da0e2d14ac46a121ea903549fe3a

commit 660b5533eab8da0e2d14ac46a121ea903549fe3a
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-06-05 20:46:03 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-11-16 08:37:00 +0000

    dev-java/pdfbox: bump to 2.0.24 - CVE-2021-31812
    
    Bug: https://bugs.gentoo.org/738836
    Closes: https://bugs.gentoo.org/640118
    
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/pdfbox/Manifest                        |  40 ++++
 dev-java/pdfbox/files/2.0.24-tests-ignore.patch |  20 ++
 dev-java/pdfbox/metadata.xml                    |   4 +
 dev-java/pdfbox/pdfbox-2.0.24.ebuild            | 280 ++++++++++++++++++++++++
 4 files changed, 344 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-16 14:24:55 UTC
Please file a stablereq when ready.
Comment 6 Miroslav Šulc gentoo-dev 2021-11-26 07:58:50 UTC
we dropped the vulnerable version of pdfbox so now we have only 2.0.24. nonetheless, the drop of the vulnerable version caused drop of the package to unstable. the pdfbox stabilization bug doesn't show any blockers so it would be fine if it could be stabilized asap.
Comment 7 Miroslav Šulc gentoo-dev 2021-11-26 11:45:19 UTC
so tree clean, pdfbox-2.0.24 stable, so you can proceed :-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 01:12:07 UTC
Thanks! DoS only (impact is low) so no GLSA. Thanks!