Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libitext-java: CVE-2021-37819

Related Vulnerabilities: CVE-2021-37819  

Source

Debian Bug report logs - #1059318
libitext-java: CVE-2021-37819

version graph

Package: src:libitext-java; Maintainer for src:libitext-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Fri, 22 Dec 2023 14:00:02 UTC

Severity: normal

Tags: security, upstream

Fixed in version libitext-java/2.1.7-16

Done: tony mancill <tmancill@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1059318; Package src:libitext-java. (Fri, 22 Dec 2023 14:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 22 Dec 2023 14:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: libitext-java: CVE-2021-37819
Date: Fri, 22 Dec 2023 14:57:18 +0100
Source: libitext-java
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security

Hi,

The following vulnerability was published for PdfReader, which
is embedded by libitext-java.

CVE-2021-37819[0]:
| PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite
| loop via the component /text/pdf/PdfReader.java.

https://gitlab.com/pdftk-java/pdftk/-/merge_requests/21
https://gitlab.com/pdftk-java/pdftk/-/commit/75deacdf5c46fd4eefb310c784eb9dfdc7b9fdc9 (v3.3.0)
https://gitlab.com/pdftk-java/pdftk/-/commit/9b0cbb76c8434a8505f02ada02a94263dcae9247 (v3.3.0)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-37819
    https://www.cve.org/CVERecord?id=CVE-2021-37819

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 22 Dec 2023 20:09:47 GMT) (full text, mbox, link).

Message sent on to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1059318. (Sat, 23 Dec 2023 05:45:03 GMT) (full text, mbox, link).

Message #10 received at 1059318-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>
To: 1059318-submitter@bugs.debian.org
Subject: Bug#1059318 marked as pending in libitext-java
Date: Sat, 23 Dec 2023 05:41:05 +0000
Control: tag -1 pending

Hello,

Bug #1059318 in libitext-java reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/libitext-java/-/commit/3c1c0e4631c70130d28d41647494629509251003

------------------------------------------------------------------------
Patch for infinite loop in PDF traversal CVE-2021-37819 (Closes: #1059318)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1059318

Added tag(s) pending. Request was from Tony Mancill <noreply@salsa.debian.org> to 1059318-submitter@bugs.debian.org. (Sat, 23 Dec 2023 05:45:03 GMT) (full text, mbox, link).

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Sat, 23 Dec 2023 06:09:04 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 23 Dec 2023 06:09:04 GMT) (full text, mbox, link).

Message #17 received at 1059318-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1059318-close@bugs.debian.org
Subject: Bug#1059318: fixed in libitext-java 2.1.7-16
Date: Sat, 23 Dec 2023 06:04:04 +0000
Source: libitext-java
Source-Version: 2.1.7-16
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
libitext-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1059318@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated libitext-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 Dec 2023 21:31:38 -0800
Source: libitext-java
Architecture: source
Version: 2.1.7-16
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1059318
Changes:
 libitext-java (2.1.7-16) unstable; urgency=medium
 .
   * Team upload.
   * Patch for infinite loop in PDF traversal (Closes: #1059318)
     Addresses CVE-2021-37819
Checksums-Sha1:
 e6362d925079a5939b35966cb8d10cba37d46976 2255 libitext-java_2.1.7-16.dsc
 2dcd8b63a0967b355ce22fab8994bbc244f2b8ae 46276 libitext-java_2.1.7-16.debian.tar.xz
 18a3a0a7f3fb77f0c36ab690c44299e025a50779 12478 libitext-java_2.1.7-16_amd64.buildinfo
Checksums-Sha256:
 61c2bcb833d5e04746959f11e55ad01d3d585a1e39239a586040c4a05185bf05 2255 libitext-java_2.1.7-16.dsc
 c6b3b3716c367c644885d4c479eba56f6838c47365ae789bd5c011a5b4b4d920 46276 libitext-java_2.1.7-16.debian.tar.xz
 f873b1d1af9b4ea5807d925323ff526168403bad19f46e7f24c7070c24c7d80b 12478 libitext-java_2.1.7-16_amd64.buildinfo
Files:
 50f694e5b5f21839cd5713f3d116f7c4 2255 java optional libitext-java_2.1.7-16.dsc
 8c74b07f6c7c3c8af28c67543b9e15bf 46276 java optional libitext-java_2.1.7-16.debian.tar.xz
 057131a8327185f4c6b2e2ccff7c0f28 12478 java optional libitext-java_2.1.7-16_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmWGcssUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpY0UQ/+L5VZbCYWDfILzU8tpzD8fnrcks3T
P0Gy+skJ//x1zDrH5qQ1uluweMdg+crT95ZrNYlmq2zQQt3kLWC/Sp/KX2aPKeDp
TwfKPSimNq0smsdaQjEYqk26bRDs9H5YIebM/XutCuUKFuMAvqbRAH/zxCLhjW4K
yMm2kG9PkS0oCISRaCMyVipqMNbXzrOo/Fmg4latguNO1zcUBKAQrCcVothBMt2u
yl38rZp3pbdXHbT3WF8Igmr63Pqy8yaH5N2Mhl+79GDpqMmZnA+PBWlga+dWgCRZ
nlAmDqcrhhdwL0ROHSrciqaUsMeMMSl4ECzrzURltR5lN/Z/gagDh0Sz9zFCFSZF
iCArOz0dCOICR5YlX6Y75LXfwjzWK+p+4/C+n26L+Qz6b168PSyLRnybxl3KhCCh
nmmH/nYc/Q9gaHuiwk2aLR/cNsAiSoYt6VCxIZwPAqshiwqeboj5qrdv14JF9AAb
IW2EyA5xQTQP6eAJLOL3lycUcaWpPEAJSoX/xLqAVdv9Gs6CmYcDsl3JaB6th4Kj
cdN1KFGfc1TzWc/3QxZZYXCm3aiDugCse7EboP8liiiP1gAeL43XsAUAJTaXh8jo
nylQ8QAPrxNuQMgKgDyyi7+9pneSuyg7cPF3P/HfbrTBkRWOKyWNMggCxnbtYAL+
h4clkEwRF8tAFOI=
=DHqT
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Dec 23 08:19:00 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started