Debian Bug report logs -
#902776
libpdfbox-java: CVE-2018-8036
Reported by: Markus Koschany <apo@debian.org>
Date: Sat, 30 Jun 2018 18:51:02 UTC
Owned by: Markus Koschany <apo@debian.org>
Severity: important
Tags: security
Found in version libpdfbox-java/1:1.8.7+dfsg-1
Fixed in version libpdfbox-java/1:1.8.15-1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#902776; Package libpdfbox-java.
(Sat, 30 Jun 2018 18:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 30 Jun 2018 18:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libpdfbox-java
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libpdfbox-java.
CVE-2018-8036[0]:
Vendor:
The Apache Software Foundation
Versions Affected:
Apache PDFBox 1.8.0 to 1.8.14
Apache PDFBox 2.0.0 to 2.0.10
Earlier, unsupported Apache PDFBox versions may be affected as well
Description:
A carefully crafted (or fuzzed) file can trigger an infinite loop which
leads to
an out of memory exception in Apache PDFBox's AFMParser.
Mitigation:
Upgrade to Apache PDFBox 1.8.15 respectively 2.0.11
Credit:
This issue was discovered by Tobias Ospelt
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8036
Please adjust the affected versions in the BTS as needed.
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#902776; Package libpdfbox-java.
(Sat, 30 Jun 2018 18:54:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 30 Jun 2018 18:54:18 GMT) (full text, mbox, link).
Message #10 received at 902776@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: owner -1 !
[signature.asc (application/pgp-signature, attachment)]
Owner recorded as Markus Koschany <apo@debian.org>.
Request was from Markus Koschany <apo@debian.org>
to 902776-submit@bugs.debian.org.
(Sat, 30 Jun 2018 18:54:18 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sat, 30 Jun 2018 19:54:05 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Sat, 30 Jun 2018 19:54:05 GMT) (full text, mbox, link).
Message #17 received at 902776-close@bugs.debian.org (full text, mbox, reply):
Source: libpdfbox-java
Source-Version: 1:1.8.15-1
We believe that the bug you reported is fixed in the latest version of
libpdfbox-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libpdfbox-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Jun 2018 21:08:37 +0200
Source: libpdfbox-java
Binary: libpdfbox-java libpdfbox-java-doc libjempbox-java libjempbox-java-doc libfontbox-java libfontbox-java-doc
Architecture: source
Version: 1:1.8.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libfontbox-java - Java font library
libfontbox-java-doc - Java font library (Documentation)
libjempbox-java - XMP Compatible Java Library
libjempbox-java-doc - XMP Compatible Java Library (documentation)
libpdfbox-java - PDF library for Java
libpdfbox-java-doc - PDF library for Java (documentation)
Closes: 902776
Changes:
libpdfbox-java (1:1.8.15-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.8.15.
- Fix CVE-2018-8036. (Closes: #902776)
* Declare compliance with Debian Policy 4.1.4.
* Switch to compat level 11.
Checksums-Sha1:
08f632818d43df24007b295ede22872adfe7575c 2834 libpdfbox-java_1.8.15-1.dsc
25558d9f8ffd57aa0d89e9759f8efc94fb25b048 6551492 libpdfbox-java_1.8.15.orig.tar.xz
4e9e2a899edc14c6036fb38effda706f7b1161b3 11528 libpdfbox-java_1.8.15-1.debian.tar.xz
114dcc4fa944f431c305e16cd464c6f897f41f26 17267 libpdfbox-java_1.8.15-1_amd64.buildinfo
Checksums-Sha256:
8d19bf3db480d3736211e91085bc6e3bc4bcba153aac51f1e47a0739732b6e48 2834 libpdfbox-java_1.8.15-1.dsc
73cffad3d465cf591a5257334e4a9c1460cd59b6ae7c24b8996c6ace36a050fd 6551492 libpdfbox-java_1.8.15.orig.tar.xz
a1128b049c685945b6bfe2cf05515729321f038db2c62700f2421aa01ecd7b86 11528 libpdfbox-java_1.8.15-1.debian.tar.xz
21bbf599e69ca91dbcfd448caf414bb6178ad1290207081e83240f6529172e3a 17267 libpdfbox-java_1.8.15-1_amd64.buildinfo
Files:
ad30ed7aec77c22744d7e5830fc9a9c5 2834 java optional libpdfbox-java_1.8.15-1.dsc
7ff5eed9de247321c2bbe240e99a407e 6551492 java optional libpdfbox-java_1.8.15.orig.tar.xz
f2be028f78dee79ff790ea1875f69f6a 11528 java optional libpdfbox-java_1.8.15-1.debian.tar.xz
ad1d2043c82763fa9aab72e335897f54 17267 java optional libpdfbox-java_1.8.15-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAls32QBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk2bcP/R9H8ukh97oZb9UV2pGoojVgMHByHUj07IpI
5ci14FqP8ouXy7nA8IkG7iYZ1056P2VUZjv+XpS6O/8xp4MdDlBk2pVb5O8dqmt1
VnhzKwpDuBwHYju+UYY4h/xCDyR2lZTMKC6BJY5omVgzb+UXSOG+V4w4M2v4ZoC+
qXSr3h4TNAcziKHE+qjSzR/lQUd8sXERK9fggIEuiGu+inWtOZNKO2Qw7mshQrnW
bFYN+ZCXenN/h5mfwG9DVwzO7+YStmPnbQQ5H6qkNYiiIZVYwb9ZilEpKtYMC5qy
iKdAFJSg12QyMj828OfzLMGbXnxmrlldDcQc7fygKFXHMx9ivxnT1X5FTShM9Xcn
Pgxx6GzsHZLF4+MY71t0XKMIybVr0phvmz9PcXk4i1UNHRugGEW2k1Pd1rnz0pN2
01hUwYUotAzphBzDsyKtwXIqazIxRH65s2ASi7WDXS+BWxzIokyq26RtS/MxGAZ+
LaIT00NJ+gJFXtCxm1VENReXL89izfNwsfpBEdG6ox9wAg2/J4ZhOVjW2C5tCcSc
BeLB5g0W5iVSfFH/JErigb9i16/PiL4G8UQmd1ZY3ya7LL6QyIu2PKTcZfkAJsRW
Euv8afMZcGaSghgS3SuxumFwtjuQtMRJ9obQ4qitmi+v53lVCW+Iawjhm4NTbfQA
5Tw3X1TF
=0uYZ
-----END PGP SIGNATURE-----
Marked as found in versions libpdfbox-java/1:1.8.7+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 20:18:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 03 Aug 2018 07:29:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:00:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon