Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 659648 (CVE-2018-8036) - <dev-java/pdfbox-1.8.15: infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)
Summary: <dev-java/pdfbox-1.8.15: infinite loop in AFMParser.java allows for out of me...
Status: RESOLVED FIXED
Alias: CVE-2018-8036
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Deadline: 2018-09-16
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2018/q2/254
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-30 07:53 UTC by Florian Schuhmacher
Modified: 2019-03-10 04:58 UTC (History)
1 user (show)

See Also:
Package list:
=dev-java/pdfbox-1.8.15
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-30 07:53:58 UTC
A carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser. 

Versions Affected:
Apache PDFBox 1.8.0 to 1.8.14
Apache PDFBox 2.0.0 to 2.0.10
Earlier, unsupported Apache PDFBox versions may be affected as well

Gentoo Security Scout
Florian Schuhmacher
Comment 1 D'juan McDonald (domhnall) 2018-09-08 00:59:22 UTC
Fixed in version 1.8.15,

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310760&version=12343070

@maintainer(s): any one considering bulk stabilization for dev-java/* to handle the mounting security bugs? Just asking... as several are still unconfirmed yet fixes are available for later versions.
Comment 2 Larry the Git Cow gentoo-dev 2018-09-11 12:17:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=912353d609d58ac29c5d9aa2f39259dcaebd2d2a

commit 912353d609d58ac29c5d9aa2f39259dcaebd2d2a
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-09-11 12:17:28 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-09-11 12:17:28 +0000

    dev-java/pdfbox: bump to v1.8.15
    
    Bug: https://bugs.gentoo.org/659648
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-java/pdfbox/Manifest             |  1 +
 dev-java/pdfbox/pdfbox-1.8.15.ebuild | 78 ++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-11-29 21:45:01 UTC
@arches, please stabilize.
Comment 4 Agostino Sarubbo gentoo-dev 2018-12-04 11:57:26 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:42:59 UTC
x86 stable
Comment 6 ernsteiswuerfel archtester 2018-12-07 23:05:31 UTC
Looking good on ppc64.

# cat pdfbox-659648.report 
USE tests started on Fr 7. Dez 23:42:39 CET 2018

FEATURES=' test' USE='' succeeded for =dev-java/pdfbox-1.8.15
USE='-doc -source' succeeded for =dev-java/pdfbox-1.8.15
USE='doc -source' succeeded for =dev-java/pdfbox-1.8.15
USE='-doc source' succeeded for =dev-java/pdfbox-1.8.15
USE='doc source' succeeded for =dev-java/pdfbox-1.8.15

revdep tests started on Sa 8. Dez 00:03:04 CET 2018

FEATURES=' test' USE='' succeeded for dev-tex/pdfannotextractor
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:55:40 UTC
ppc64 stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 04:14:06 UTC
@maintainer, please clean.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 04:58:51 UTC
tree is clean