pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tilman Hausherr <THaush...@t-online.de>
Subject Re: [ANNOUNCE] Apache PDFBox 2.0.8 released
Date Tue, 07 Nov 2017 19:37:22 GMT
I'd reluctantly agree on the first one (PDFBOX-3919, although this is a 
6 year old risk). But not on any issues with NPE or CCE. I think I've 
fixed 10-20 of such in each version. Many of them as part of code 
cleanup, only a few from user reports. Doing a CVE for each of them 
would mean days of work. And such an exception wouldn't hurt the system. 
Tomcat doesn't crash when a servlet breaks. Other tools could simply 
catch the throwable. OTOH an endless loop is more evil, the system would 
slowly die or block.

I need to read this and collect the information needed.

https://www.apache.org/security/committers.html



Tilman

Am 06.11.2017 um 16:34 schrieb davidedillard@gmail.com:
> Hi,
>
> A vulnerability is anything that an attacker could do that affects the confidentiality,
integrity or availability of the application, commonly known as CIA (see https://en.wikipedia.org/wiki/Information_security#Key_concepts).
>
> An infinite loop is a denial of service (affecting availability) as the thread is looping
instead of returning and being responsive.  Here's one example: https://nvd.nist.gov/vuln/detail/CVE-2016-4008
  Just google "cve infinite loop" and you'll see many others.  Similarly, crashes caused by
attacker provided input are a denial of service as well (keep in mind that an attacker can
be a legitimate user).
>
> A CNA is a CVE numbering authority, they are authorized to manage the publication of
CVEs into a centralized database of vulnerabilities (CVEs are a way of uniquely identifying
vulnerabilities).  See https://cve.mitre.org/cve/request_id.html#cna_coverage and https://www.apache.org/security/
>
>
> Regards,
>
> David
>
>
> On 2017-11-03 14:59, Tilman Hausherr <THausherr@t-online.de> wrote:
>> Am 03.11.2017 um 18:28 schrieb davidedillard@gmail.com:
>>> Hi,
>>>
>>> At least three of these issues appear to be vulnerabilities (probably more),
any chance of getting CVEs assigned to them?  Apache is a CNA now so I'd think it wouldn't
be too much trouble.
>>>
>>> The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and PDFBOX-3976.
>> What's your definition of "vulnerability"? The first is an endless loop,
>> the other two are NPEs. And what is a "CNA"?
>>
>> Tilman
>>
>>
>>>
>>> Thanks,
>>>
>>> David
>>>
>>>
>>> On 2017-11-03 02:19, Andreas Lehmkuehler <andreas@lehmi.de> wrote:
>>>> The Apache PDFBox community is pleased to announce the release of
>>>> Apache PDFBox version 2.0.8. The release is available for download at:
>>>>
>>>> http://pdfbox.apache.org/download.cgi
>>>>
>>>> See the full release notes below for details about this release.
>>>>
>>>> Release Notes -- Apache PDFBox -- Version 2.0.8
>>>>
>>>> Introduction
>>>> ------------
>>>>
>>>> The Apache PDFBox library is an open source Java tool for working with PDF
>>>> documents.
>>>>
>>>> This is an incremental bugfix release based on the earlier 2.0.7 release.
It
>>>> contains
>>>> a couple of fixes and small improvements.
>>>>
>>>> For more details on these changes and all the other fixes and improvements
>>>> included in this release, please refer to the following issues on the
>>>> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
>>>>
>>>> Bug
>>>>
>>>> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points
to
>>>> wrong object: 173:0
>>>> [PDFBOX-3639] - FDF does not parse: Missing root object specification in
trailer.
>>>> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
>>>> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
>>>> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL
TILDE"
>>>> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far
back"
>>>> exception for the attached file
>>>> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
>>>> [PDFBOX-3896] - UnsupportedOperationException
>>>> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
>>>> [PDFBOX-3909] - End of inline image not detected
>>>> [PDFBOX-3913] - Japanese URI improperly decoded
>>>> [PDFBOX-3914] - LayerUtility ignores OCProperties on import
>>>> [PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
>>>> [PDFBOX-3919] - Infinite loop while parsing (2)
>>>> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
>>>> [PDFBOX-3925] - QUADDING constants no longer public
>>>> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated
file
>>>> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when
float
>>>> [PDFBOX-3930] - replace deprecated TBSCertificateStructure
>>>> [PDFBOX-3932] - Image with predictor 15 not rendered correctly
>>>> [PDFBOX-3934] - Page missing
>>>> [PDFBOX-3935] - DataFormatException: invalid stored block lengths
>>>> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
>>>> file (2)
>>>> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor
>>>> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
>>>> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups
>>>> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
>>>> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
>>>> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
>>>> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
>>>> [PDFBOX-3949] - NPE in bfSearchForObjStreams
>>>> [PDFBOX-3950] - NPE in PageIterator.enqueueKids
>>>> [PDFBOX-3955] - new -- very slow processing on truncated PDF
>>>> [PDFBOX-3957] - Pages lost
>>>> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
>>>> [PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated
file
>>>> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
>>>> [PDFBOX-3965] - Truetype Font glyphs not rendered
>>>> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
>>>> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
>>>> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page
destination
>>>> [PDFBOX-3976] - NPE in bfSearchForTrailer
>>>> [PDFBOX-3977] - /Info dictionary no longer available
>>>> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
>>>> [PDFBOX-3979] - NullPointerException on
>>>> Type1Parser.readCharStrings(Type1Parser.java:713)
>>>>
>>>> Improvement
>>>>
>>>> [PDFBOX-3878] - Improve and refactor RemoveAllText example
>>>> [PDFBOX-3890] - The operator Tz is not available when creating new PDF using
>>>> PDPageContentStream
>>>> [PDFBOX-3897] - Avoid sRGB self-conversions
>>>> [PDFBOX-3900] - Optimize PDSeparation for shadings
>>>> [PDFBOX-3911] - Handle new line characters in single line text fields
>>>> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
>>>> [PDFBOX-3927] - Support optional content in annotations
>>>> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
>>>> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
>>>> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
>>>> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
>>>>
>>>> Task
>>>>
>>>> [PDFBOX-3584] - Build and test PDFBox with JDK9
>>>> [PDFBOX-3873] - Fix text comparison in PDFontTest
>>>> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
>>>> [PDFBOX-3974] - Add more parsing regression tests
>>>>
>>>> Release Contents
>>>> ----------------
>>>>
>>>> This release consists of a single source archive packaged as a zip file.
>>>> The archive can be unpacked with the jar tool from your JDK installation.
>>>> See the README.txt file for instructions on how to build this release.
>>>>
>>>> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
>>>> signature that you can use to verify the authenticity of your download.
>>>> The public key used for the PGP signature can be found at
>>>> https://svn.apache.org/repos/asf/pdfbox/KEYS.
>>>>
>>>> About Apache PDFBox
>>>> -------------------
>>>>
>>>> Apache PDFBox is an open source Java library for working with PDF documents.
>>>> This project allows creation of new PDF documents, manipulation of existing
>>>> documents and the ability to extract content from documents. Apache PDFBox
>>>> also includes several command line utilities. Apache PDFBox is published
>>>> under the Apache License, Version 2.0.
>>>>
>>>> For more information, visit http://pdfbox.apache.org/
>>>>
>>>> About The Apache Software Foundation
>>>> ------------------------------------
>>>>
>>>> Established in 1999, The Apache Software Foundation provides organizational,
>>>> legal, and financial support for more than 100 freely-available,
>>>> collaboratively-developed Open Source projects. The pragmatic Apache License
>>>> enables individual and commercial users to easily deploy Apache software;
>>>> the Foundation's intellectual property framework limits the legal exposure
>>>> of its 2,500+ contributors.
>>>>
>>>> For more information, visit http://www.apache.org/
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org


Mime
View raw message