A carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser. Versions Affected: Apache PDFBox 1.8.0 to 1.8.14 Apache PDFBox 2.0.0 to 2.0.10 Earlier, unsupported Apache PDFBox versions may be affected as well Gentoo Security Scout Florian Schuhmacher
Fixed in version 1.8.15, https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310760&version=12343070 @maintainer(s): any one considering bulk stabilization for dev-java/* to handle the mounting security bugs? Just asking... as several are still unconfirmed yet fixes are available for later versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=912353d609d58ac29c5d9aa2f39259dcaebd2d2a commit 912353d609d58ac29c5d9aa2f39259dcaebd2d2a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-09-11 12:17:28 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-09-11 12:17:28 +0000 dev-java/pdfbox: bump to v1.8.15 Bug: https://bugs.gentoo.org/659648 Package-Manager: Portage-2.3.49, Repoman-2.3.10 dev-java/pdfbox/Manifest | 1 + dev-java/pdfbox/pdfbox-1.8.15.ebuild | 78 ++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+)
@arches, please stabilize.
amd64 stable
x86 stable
Looking good on ppc64. # cat pdfbox-659648.report USE tests started on Fr 7. Dez 23:42:39 CET 2018 FEATURES=' test' USE='' succeeded for =dev-java/pdfbox-1.8.15 USE='-doc -source' succeeded for =dev-java/pdfbox-1.8.15 USE='doc -source' succeeded for =dev-java/pdfbox-1.8.15 USE='-doc source' succeeded for =dev-java/pdfbox-1.8.15 USE='doc source' succeeded for =dev-java/pdfbox-1.8.15 revdep tests started on Sa 8. Dez 00:03:04 CET 2018 FEATURES=' test' USE='' succeeded for dev-tex/pdfannotextractor
ppc64 stable
@maintainer, please clean.
tree is clean