Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7B726200D35 for ; Tue, 7 Nov 2017 20:51:21 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 79DC1160BED; Tue, 7 Nov 2017 19:51:21 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6C73D160BEB for ; Tue, 7 Nov 2017 20:51:20 +0100 (CET) Received: (qmail 49440 invoked by uid 500); 7 Nov 2017 19:51:19 -0000 Mailing-List: contact users-help@pdfbox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@pdfbox.apache.org Delivered-To: mailing list users@pdfbox.apache.org Received: (qmail 49420 invoked by uid 99); 7 Nov 2017 19:51:19 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Nov 2017 19:51:19 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 517A518EF8F for ; Tue, 7 Nov 2017 19:51:18 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.279 X-Spam-Level: ** X-Spam-Status: No, score=2.279 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id O2MltK6Ocg_3 for ; Tue, 7 Nov 2017 19:51:00 +0000 (UTC) Received: from mailout04.t-online.de (mailout04.t-online.de [194.25.134.18]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id A76C1627EC for ; Tue, 7 Nov 2017 19:35:40 +0000 (UTC) Received: from fwd29.aul.t-online.de (fwd29.aul.t-online.de [172.20.26.134]) by mailout04.t-online.de (Postfix) with SMTP id D45BC4197DC4 for ; Tue, 7 Nov 2017 20:35:33 +0100 (CET) Received: from [192.168.2.105] (rAQ4LZZeYhKpbSGTZOLpZvIlWRwLtquB+rMelLMtkMrOG7ShssLr4KORmsa1UVigRL@[217.231.141.62]) by fwd29.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted) esmtp id 1eC9ec-28MIXg0; Tue, 7 Nov 2017 20:35:22 +0100 Subject: Re: [ANNOUNCE] Apache PDFBox 2.0.8 released To: users@pdfbox.apache.org References: <582a3243-059a-9b20-b2a5-71c8f735bba7@t-online.de> <95e05792-cc13-bdf3-7d10-c739bbf97a34@lehmi.de> From: Tilman Hausherr Message-ID: <5cb3b84f-bc50-390f-2393-8dae3a9d331d@t-online.de> Date: Tue, 7 Nov 2017 20:37:22 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-ID: rAQ4LZZeYhKpbSGTZOLpZvIlWRwLtquB+rMelLMtkMrOG7ShssLr4KORmsa1UVigRL X-TOI-MSGID: a07aa1c8-cc8c-43de-946e-f6f3d2e92385 archived-at: Tue, 07 Nov 2017 19:51:21 -0000 I'd reluctantly agree on the first one (PDFBOX-3919, although this is a 6 year old risk). But not on any issues with NPE or CCE. I think I've fixed 10-20 of such in each version. Many of them as part of code cleanup, only a few from user reports. Doing a CVE for each of them would mean days of work. And such an exception wouldn't hurt the system. Tomcat doesn't crash when a servlet breaks. Other tools could simply catch the throwable. OTOH an endless loop is more evil, the system would slowly die or block. I need to read this and collect the information needed. https://www.apache.org/security/committers.html Tilman Am 06.11.2017 um 16:34 schrieb davidedillard@gmail.com: > Hi, > > A vulnerability is anything that an attacker could do that affects the confidentiality, integrity or availability of the application, commonly known as CIA (see https://en.wikipedia.org/wiki/Information_security#Key_concepts). > > An infinite loop is a denial of service (affecting availability) as the thread is looping instead of returning and being responsive. Here's one example: https://nvd.nist.gov/vuln/detail/CVE-2016-4008 Just google "cve infinite loop" and you'll see many others. Similarly, crashes caused by attacker provided input are a denial of service as well (keep in mind that an attacker can be a legitimate user). > > A CNA is a CVE numbering authority, they are authorized to manage the publication of CVEs into a centralized database of vulnerabilities (CVEs are a way of uniquely identifying vulnerabilities). See https://cve.mitre.org/cve/request_id.html#cna_coverage and https://www.apache.org/security/ > > > Regards, > > David > > > On 2017-11-03 14:59, Tilman Hausherr wrote: >> Am 03.11.2017 um 18:28 schrieb davidedillard@gmail.com: >>> Hi, >>> >>> At least three of these issues appear to be vulnerabilities (probably more), any chance of getting CVEs assigned to them? Apache is a CNA now so I'd think it wouldn't be too much trouble. >>> >>> The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and PDFBOX-3976. >> What's your definition of "vulnerability"? The first is an endless loop, >> the other two are NPEs. And what is a "CNA"? >> >> Tilman >> >> >>> >>> Thanks, >>> >>> David >>> >>> >>> On 2017-11-03 02:19, Andreas Lehmkuehler wrote: >>>> The Apache PDFBox community is pleased to announce the release of >>>> Apache PDFBox version 2.0.8. The release is available for download at: >>>> >>>> http://pdfbox.apache.org/download.cgi >>>> >>>> See the full release notes below for details about this release. >>>> >>>> Release Notes -- Apache PDFBox -- Version 2.0.8 >>>> >>>> Introduction >>>> ------------ >>>> >>>> The Apache PDFBox library is an open source Java tool for working with PDF >>>> documents. >>>> >>>> This is an incremental bugfix release based on the earlier 2.0.7 release. It >>>> contains >>>> a couple of fixes and small improvements. >>>> >>>> For more details on these changes and all the other fixes and improvements >>>> included in this release, please refer to the following issues on the >>>> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX. >>>> >>>> Bug >>>> >>>> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to >>>> wrong object: 173:0 >>>> [PDFBOX-3639] - FDF does not parse: Missing root object specification in trailer. >>>> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font >>>> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields >>>> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE" >>>> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back" >>>> exception for the attached file >>>> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode >>>> [PDFBOX-3896] - UnsupportedOperationException >>>> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids >>>> [PDFBOX-3909] - End of inline image not detected >>>> [PDFBOX-3913] - Japanese URI improperly decoded >>>> [PDFBOX-3914] - LayerUtility ignores OCProperties on import >>>> [PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding >>>> [PDFBOX-3919] - Infinite loop while parsing (2) >>>> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref' >>>> [PDFBOX-3925] - QUADDING constants no longer public >>>> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated file >>>> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float >>>> [PDFBOX-3930] - replace deprecated TBSCertificateStructure >>>> [PDFBOX-3932] - Image with predictor 15 not rendered correctly >>>> [PDFBOX-3934] - Page missing >>>> [PDFBOX-3935] - DataFormatException: invalid stored block lengths >>>> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated >>>> file (2) >>>> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor >>>> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT >>>> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups >>>> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists >>>> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist >>>> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams >>>> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams >>>> [PDFBOX-3949] - NPE in bfSearchForObjStreams >>>> [PDFBOX-3950] - NPE in PageIterator.enqueueKids >>>> [PDFBOX-3955] - new -- very slow processing on truncated PDF >>>> [PDFBOX-3957] - Pages lost >>>> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded >>>> [PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated file >>>> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements() >>>> [PDFBOX-3965] - Truetype Font glyphs not rendered >>>> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1 >>>> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly >>>> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page destination >>>> [PDFBOX-3976] - NPE in bfSearchForTrailer >>>> [PDFBOX-3977] - /Info dictionary no longer available >>>> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning >>>> [PDFBOX-3979] - NullPointerException on >>>> Type1Parser.readCharStrings(Type1Parser.java:713) >>>> >>>> Improvement >>>> >>>> [PDFBOX-3878] - Improve and refactor RemoveAllText example >>>> [PDFBOX-3890] - The operator Tz is not available when creating new PDF using >>>> PDPageContentStream >>>> [PDFBOX-3897] - Avoid sRGB self-conversions >>>> [PDFBOX-3900] - Optimize PDSeparation for shadings >>>> [PDFBOX-3911] - Handle new line characters in single line text fields >>>> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible >>>> [PDFBOX-3927] - Support optional content in annotations >>>> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary >>>> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field >>>> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter >>>> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0 >>>> >>>> Task >>>> >>>> [PDFBOX-3584] - Build and test PDFBox with JDK9 >>>> [PDFBOX-3873] - Fix text comparison in PDFontTest >>>> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk >>>> [PDFBOX-3974] - Add more parsing regression tests >>>> >>>> Release Contents >>>> ---------------- >>>> >>>> This release consists of a single source archive packaged as a zip file. >>>> The archive can be unpacked with the jar tool from your JDK installation. >>>> See the README.txt file for instructions on how to build this release. >>>> >>>> The source archive is accompanied by SHA1 and MD5 checksums and a PGP >>>> signature that you can use to verify the authenticity of your download. >>>> The public key used for the PGP signature can be found at >>>> https://svn.apache.org/repos/asf/pdfbox/KEYS. >>>> >>>> About Apache PDFBox >>>> ------------------- >>>> >>>> Apache PDFBox is an open source Java library for working with PDF documents. >>>> This project allows creation of new PDF documents, manipulation of existing >>>> documents and the ability to extract content from documents. Apache PDFBox >>>> also includes several command line utilities. Apache PDFBox is published >>>> under the Apache License, Version 2.0. >>>> >>>> For more information, visit http://pdfbox.apache.org/ >>>> >>>> About The Apache Software Foundation >>>> ------------------------------------ >>>> >>>> Established in 1999, The Apache Software Foundation provides organizational, >>>> legal, and financial support for more than 100 freely-available, >>>> collaboratively-developed Open Source projects. The pragmatic Apache License >>>> enables individual and commercial users to easily deploy Apache software; >>>> the Foundation's intellectual property framework limits the legal exposure >>>> of its 2,500+ contributors. >>>> >>>> For more information, visit http://www.apache.org/ >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org >>>> For additional commands, e-mail: users-help@pdfbox.apache.org >>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org >>> For additional commands, e-mail: users-help@pdfbox.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org >> For additional commands, e-mail: users-help@pdfbox.apache.org >> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org > For additional commands, e-mail: users-help@pdfbox.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org For additional commands, e-mail: users-help@pdfbox.apache.org