* CVE-2018-11797 Description: "In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree."
Patch: https://svn.apache.org/viewvc?view=revision&revision=1842278 Looks like 1.8.16 exists?
CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions. CVE-2021-27906: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions.
CVE-2021-31811: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. This issue is being tracked as PDFBOX-5177 CVE-2021-31812: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=660b5533eab8da0e2d14ac46a121ea903549fe3a commit 660b5533eab8da0e2d14ac46a121ea903549fe3a Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-06-05 20:46:03 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-11-16 08:37:00 +0000 dev-java/pdfbox: bump to 2.0.24 - CVE-2021-31812 Bug: https://bugs.gentoo.org/738836 Closes: https://bugs.gentoo.org/640118 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/pdfbox/Manifest | 40 ++++ dev-java/pdfbox/files/2.0.24-tests-ignore.patch | 20 ++ dev-java/pdfbox/metadata.xml | 4 + dev-java/pdfbox/pdfbox-2.0.24.ebuild | 280 ++++++++++++++++++++++++ 4 files changed, 344 insertions(+)
Please file a stablereq when ready.
we dropped the vulnerable version of pdfbox so now we have only 2.0.24. nonetheless, the drop of the vulnerable version caused drop of the package to unstable. the pdfbox stabilization bug doesn't show any blockers so it would be fine if it could be stabilized asap.
so tree clean, pdfbox-2.0.24 stable, so you can proceed :-)
Thanks! DoS only (impact is low) so no GLSA. Thanks!