Bug#986008: libpdfbox2-java: CVE-2021-27906

tony mancill tmancill at debian.org
Mon Apr 5 05:05:06 BST 2021 

On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote:
> Source: libpdfbox2-java
> Version: 2.0.22-1
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

I took a look at this and I think the best thing to do for our users is
to upload 2.0.23 instead of trying pick backport just the CVE changes
from this set of commits [1].

The 2.0.23 package builds without any other changes and doesn't
introduce any API changes [2].  This will address both CVE-2021-27807
and CVE-2021-27906.

I have an upload ready (using DEP-14 branches, so it won't change
master).  I originally considered uploading 2.0.23 to experimental due
to the freeze, but I think it should go to unstable and then we can
discuss what we do for bullseye.

Concerns?

Thanks,
tony

[1] https://github.com/apache/pdfbox/compare/2.0.22...2.0.23
[2] japi-compliance-checker against resulting JARs:

$ japi-compliance-checker 2.0.22/usr/share/java/pdfbox2-2.0.22.jar 2.0.23/usr/share/java/pdfbox2-2.0.23.jar 
Preparing, please wait ...
Using Java 15.0.2
Reading classes 2.0.22 ...
Reading classes 2.0.23 ...
Comparing classes ...
Creating compatibility report ...
Binary compatibility: 100%
Source compatibility: 100%
Total binary compatibility problems: 0, warnings: 0
Total source compatibility problems: 0, warnings: 0
Report: compat_reports/pdfbox2-/2.0.22_to_2.0.23/compat_report.html

$ japi-compliance-checker 2.0.22/usr/share/java/pdfbox2-tools-2.0.22.jar 2.0.23/usr/share/java/pdfbox2-tools-2.0.23.jar
Preparing, please wait ...
Using Java 15.0.2
Reading classes 2.0.22 ...
Reading classes 2.0.23 ...
Comparing classes ...
Creating compatibility report ...
Binary compatibility: 100%
Source compatibility: 100%
Total binary compatibility problems: 0, warnings: 0
Total source compatibility problems: 0, warnings: 0
Report: compat_reports/pdfbox2-tools/2.0.22_to_2.0.23/compat_report.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210404/65afa2ed/attachment.sig>

More information about the pkg-java-maintainers mailing list