From users-return-11116-archive-asf-public=cust-asf.ponee.io@pdfbox.apache.org Fri Jun 29 08:23:19 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 0A033180663 for ; Fri, 29 Jun 2018 08:23:18 +0200 (CEST) Received: (qmail 95007 invoked by uid 500); 29 Jun 2018 06:23:17 -0000 Mailing-List: contact users-help@pdfbox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@pdfbox.apache.org Delivered-To: mailing list users@pdfbox.apache.org Received: (qmail 94966 invoked by uid 99); 29 Jun 2018 06:23:17 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Jun 2018 06:23:17 +0000 Received: from [192.168.6.23] (dslb-002-203-047-027.002.203.pools.vodafone-ip.de [2.203.47.27]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 3619A469; Fri, 29 Jun 2018 06:23:15 +0000 (UTC) From: Andreas Lehmkuehler Subject: [CVE-2018-8036] DoS (OOM) Vulnerability in Apache PDFBox's AFMParser To: announce@apache.org, dev@pdfbox.apache.org, "users@pdfbox.apache.org" , security@apache.org, oss-security@lists.openwall.com, bugtraq@securityfocus.com Organization: Apache Software Foundation Message-ID: <637b5a18-f7cc-7e13-e0ea-7d89ab8cc689@apache.org> Date: Fri, 29 Jun 2018 08:23:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-MW Content-Transfer-Encoding: 7bit [CVE-2018-8036] DoS (OOM) Vulnerability in Apache PDFBox's AFMParser Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache PDFBox 1.8.0 to 1.8.14 Apache PDFBox 2.0.0 to 2.0.10 Earlier, unsupported Apache PDFBox versions may be affected as well Description: A carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser. Mitigation: Upgrade to Apache PDFBox 1.8.15 respectively 2.0.11 Credit: This issue was discovered by Tobias Ospelt --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org For additional commands, e-mail: users-help@pdfbox.apache.org