#15176 closed enhancement (fixed)
PDFBOX (used by fop) 2.0.24
| Reported by: | Owned by: | Douglas R. Reno | |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
From the oss-security list: Description:
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
This issue is being tracked as PDFBOX-5177
Mitigation:
This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24
Credit:
Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
That shows it is CVE-2021-31812
Although we do not list pdfbox in our index, 2.0.23 is a required download on the fop page.
Change History (6)
comment:1 by , 4 years ago
comment:2 by , 4 years ago
CVE-2021-31812
Description: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. Mitigation: This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24 Credit: Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue References: https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E
CVE-2021-31811
Description: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. This issue is being tracked as PDFBOX-5177 Mitigation: This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24 Credit: Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue References: https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E
comment:3 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 4 years ago
Release Notes -- Apache PDFBox -- Version 2.0.24 Introduction ------------ The Apache PDFBox library is an open source Java tool for working with PDF documents. This is an incremental bugfix release based on the earlier 2.0.23 release. It contains a couple of fixes and small improvements. For more details on these changes and all the other fixes and improvements included in this release, please refer to the following issues on the PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX. Bug [PDFBOX-5051] - Slow rendering for specific PDF file [PDFBOX-5134] - Very slow rendering on PageDrawer.shadingFill [PDFBOX-5135] - Glyphs missed in rendering [PDFBOX-5137] - Wrong classification of an JPEG image leading to a blank image added to a pdf document [PDFBOX-5138] - Embedded files not extracted from PDF files with multilevel EmbeddedFiles tree [PDFBOX-5150] - 3.0.0-RC1: PDComboBox.setValue() throws IllegalArgumentException: /DA is a required entry [PDFBOX-5151] - Issue with COSObjectKey::fixGeneration [PDFBOX-5155] - Error extracting text from PDF - Can't read the embedded Type1 font FDFBJU+NewsGothic [PDFBOX-5156] - Error in identification of PDF comment symbol % as a token separator with PDF names [PDFBOX-5163] - Stack overflow when reading a corrupt dictionary [PDFBOX-5168] - dash pattern [0] should be invisible [PDFBOX-5175] - Behaviour change in 2.0.20 due to use of IOUtils.populateBuffer in SecurityHandler.prepareAESInitializationVector leading to IOException for certain PDF [PDFBOX-5176] - java.io.IOException: Page tree root must be a dictionary [PDFBOX-5180] - Snapshot Deploy not working [PDFBOX-5187] - TSAClient with username+password [PDFBOX-5188] - COSOutputStream.flush doesn't call super [PDFBOX-5190] - BaseParser: stack overflow when reading a corrupt pdf [PDFBOX-5191] - isEmbeddingPermitted() is too restrictive on TTFs with OS2 table versions 0-2 [PDFBOX-5192] - Wild rendering when repeating truetype glyph flag is outside of range [PDFBOX-5193] - v2.0.22 and v3.0.0-RC1 PDF Debugger app crashes with java.lang.NullPointerException [PDFBOX-5194] - CreateCheckBox example draws too large, clipped checkmark [PDFBOX-5196] - Wrong color space detected for some Jpeg images [PDFBOX-5199] - Possible memory leak after calling decode filter [PDFBOX-5204] - Ink annotation not rendered Improvement [PDFBOX-5093] - Pass PDFRenderer to PDFPrintable constructor [PDFBOX-5141] - Create tests for HelloWorld examples [PDFBOX-5145] - Faster PDImageXObject.applyMask [PDFBOX-5154] - Custom folder for fonts in FontMapper [PDFBOX-5157] - allow to make timestamp only signature "LTV" [PDFBOX-5164] - Create portable collection PDF [PDFBOX-5177] - Optimize memory footprint of PDFObjectStreamParser [PDFBOX-5183] - Add getter/setter for suppressDuplicateOverlappingText in PDFMarkedContentExtractor [PDFBOX-5200] - Cache PageTree in PDFPrintable [PDFBOX-5201] - Add Adobe Illustrator COSNames [PDFBOX-5208] - Make constructors of CIDSystemInfo and PDPanoseClassification public Wish [PDFBOX-5198] - When merging multiple pdf ua documents, Tags become nested Task [PDFBOX-5133] - Failing testFlattenPDFBox2469Filled on Ubuntu [PDFBOX-5184] - Add test for PDFMarkedContentExtractor class [PDFBOX-5186] - Create test for CreateGradientShadingPDF
comment:5 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at e3b75e1853dd78789378a88863205b76f931984a
Security Advisory added as well
Note:
See TracTickets
for help on using tickets.
CVE-2021-31812 is for an infinite loop. CVE-2021-31811 is for the OutOfMemory exception