Bug#986006: libpdfbox2-java: CVE-2021-27807
tony mancill
tmancill at debian.org
Mon Apr 5 17:37:41 BST 2021
On Sat, Mar 27, 2021 at 07:52:37PM +0100, Salvatore Bonaccorso wrote:
> Source: libpdfbox2-java
> Version: 2.0.22-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi Salvatore,
I'm continuing our thread from 986008, but switching over the BTS entry
986006 for CVE-2021-27807 to try to cut down on confusion between the CVEs.
Below is why I marked this bug as fixed in 2.0.23-1. I haven't yet
identified the exact commit(s), but will update bug if I can locate it.
From https://pdfbox.apache.org/#news:
> CVE-2021-27807, CVE-2021-27906 Infinite loop and OutOfMemory
> 2021-03-20
> CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file.
>
> CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file.
>
> Versions Affected: Apache PDFBox <= 2.0.22
>
> Mitigation: Upgrade to Apache PDFBox 2.0.23
Note that others have drawn the same conclusion from the announcement -
e.g. https://github.com/apache/ofbiz-framework/commit/df69401118c99896432b417690f2229bc757072c
Thanks,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210405/eb9502cf/attachment.sig>
More information about the pkg-java-maintainers
mailing list