Bug#902776: libpdfbox-java: CVE-2018-8036
Markus Koschany
apo at debian.org
Sat Jun 30 19:46:35 BST 2018
Package: libpdfbox-java
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libpdfbox-java.
CVE-2018-8036[0]:
Vendor:
The Apache Software Foundation
Versions Affected:
Apache PDFBox 1.8.0 to 1.8.14
Apache PDFBox 2.0.0 to 2.0.10
Earlier, unsupported Apache PDFBox versions may be affected as well
Description:
A carefully crafted (or fuzzed) file can trigger an infinite loop which
leads to
an out of memory exception in Apache PDFBox's AFMParser.
Mitigation:
Upgrade to Apache PDFBox 1.8.15 respectively 2.0.11
Credit:
This issue was discovered by Tobias Ospelt
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8036
Please adjust the affected versions in the BTS as needed.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20180630/56053267/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list