Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libpdfbox2-java [ Reason ] This unblock request addresses these two CVEs in the libpdfbox2-java package: CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file. CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. More context on the bug is available in [1]. I recognize that this is a new upstream release. When investigating the bug, I was unable to isolate a targeted set of upstream commits to address only the CVE. Thus I believe uploading a new upstream patch release is less risk than attempting to identify and backport the code changes solely related to the security vulnerabilities. The Security Team also suggested the unblock request for bullseye [2]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986006 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986006#24 [ Risks ] I have reviewed the source diff and believe it to be suitable. Most of the changes in the point release are code-smithing: - spelling errors - eliminating 0 bit shifts - adding try/catch blocks - adding null checks (and also removing them when not needed) - initializing lists with estimated sizes (performance improvement) - whitespace and formatting - examples (nearly 10% of the diff) and documentation I am not aware of an alternative to libpdfbox2-java. I believe pdfsam is the most popular package in the reverse dependency graph. The following is from apt-cache rdepends ${pkg}: libpdfbox2-java Reverse Depends: libpdfbox2-java-doc libtika-java libtika-java Reverse Depends: libmetadata-extractor-java libvorbis-java libpantomime-clojure libpantomime-clojure Reverse Depends: puppetdb libmetadata-extractor-java Reverse Depends: libsejda-java libtika-java libsejda-java Reverse Depends: pdfsam [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] My apologies for submitting a request with such a large diff. Thank you for considering the request. Cheers, tony unblock libpdfbox2-java/2.0.23-1
libpdfbox2-java_2.0.22-1_vs_2.0.23-1.dsc.debdiff.gz
Description: application/gzip
libpdfbox2-java_2.0.22-1_vs_2.0.23-1_amd64.changes.debdiff.gz
Description: application/gzip
signature.asc
Description: PGP signature