I'd reluctantly agree on the first one (PDFBOX-3919, although this is a
6 year old risk). But not on any issues with NPE or CCE. I think I've
fixed 10-20 of such in each version. Many of them as part of code
cleanup, only a few from user reports. Doing a CVE for each of them
would mean days of work. And such an exception wouldn't hurt the system.
Tomcat doesn't crash when a servlet breaks. Other tools could simply
catch the throwable. OTOH an endless loop is more evil, the system would
slowly die or block.
I need to read this and collect the information needed.
https://www.apache.org/security/committers.html
Tilman
Am 06.11.2017 um 16:34 schrieb [email protected]:
Hi,
A vulnerability is anything that an attacker could do that affects the
confidentiality, integrity or availability of the application, commonly known
as CIA (see https://en.wikipedia.org/wiki/Information_security#Key_concepts).
An infinite loop is a denial of service (affecting availability) as the thread is looping
instead of returning and being responsive. Here's one example:
https://nvd.nist.gov/vuln/detail/CVE-2016-4008 Just google "cve infinite
loop" and you'll see many others. Similarly, crashes caused by attacker provided
input are a denial of service as well (keep in mind that an attacker can be a legitimate
user).
A CNA is a CVE numbering authority, they are authorized to manage the
publication of CVEs into a centralized database of vulnerabilities (CVEs are a
way of uniquely identifying vulnerabilities). See
https://cve.mitre.org/cve/request_id.html#cna_coverage and
https://www.apache.org/security/
Regards,
David
On 2017-11-03 14:59, Tilman Hausherr <[email protected]> wrote:
Am 03.11.2017 um 18:28 schrieb [email protected]:
Hi,
At least three of these issues appear to be vulnerabilities (probably more),
any chance of getting CVEs assigned to them? Apache is a CNA now so I'd think
it wouldn't be too much trouble.
The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and
PDFBOX-3976.
What's your definition of "vulnerability"? The first is an endless loop,
the other two are NPEs. And what is a "CNA"?
Tilman
Thanks,
David
On 2017-11-03 02:19, Andreas Lehmkuehler <[email protected]> wrote:
The Apache PDFBox community is pleased to announce the release of
Apache PDFBox version 2.0.8. The release is available for download at:
http://pdfbox.apache.org/download.cgi
See the full release notes below for details about this release.
Release Notes -- Apache PDFBox -- Version 2.0.8
Introduction
------------
The Apache PDFBox library is an open source Java tool for working with PDF
documents.
This is an incremental bugfix release based on the earlier 2.0.7 release. It
contains
a couple of fixes and small improvements.
For more details on these changes and all the other fixes and improvements
included in this release, please refer to the following issues on the
PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
Bug
[PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to
wrong object: 173:0
[PDFBOX-3639] - FDF does not parse: Missing root object specification in
trailer.
[PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
[PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
[PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE"
[PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back"
exception for the attached file
[PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
[PDFBOX-3896] - UnsupportedOperationException
[PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
[PDFBOX-3909] - End of inline image not detected
[PDFBOX-3913] - Japanese URI improperly decoded
[PDFBOX-3914] - LayerUtility ignores OCProperties on import
[PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
[PDFBOX-3919] - Infinite loop while parsing (2)
[PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
[PDFBOX-3925] - QUADDING constants no longer public
[PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated
file
[PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float
[PDFBOX-3930] - replace deprecated TBSCertificateStructure
[PDFBOX-3932] - Image with predictor 15 not rendered correctly
[PDFBOX-3934] - Page missing
[PDFBOX-3935] - DataFormatException: invalid stored block lengths
[PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
file (2)
[PDFBOX-3937] - NPE in PDCIDFontType2 constructor
[PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
[PDFBOX-3942] - ClassCastException in getOptionalContentGroups
[PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
[PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
[PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
[PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
[PDFBOX-3949] - NPE in bfSearchForObjStreams
[PDFBOX-3950] - NPE in PageIterator.enqueueKids
[PDFBOX-3955] - new -- very slow processing on truncated PDF
[PDFBOX-3957] - Pages lost
[PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
[PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated
file
[PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
[PDFBOX-3965] - Truetype Font glyphs not rendered
[PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
[PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
[PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page
destination
[PDFBOX-3976] - NPE in bfSearchForTrailer
[PDFBOX-3977] - /Info dictionary no longer available
[PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
[PDFBOX-3979] - NullPointerException on
Type1Parser.readCharStrings(Type1Parser.java:713)
Improvement
[PDFBOX-3878] - Improve and refactor RemoveAllText example
[PDFBOX-3890] - The operator Tz is not available when creating new PDF using
PDPageContentStream
[PDFBOX-3897] - Avoid sRGB self-conversions
[PDFBOX-3900] - Optimize PDSeparation for shadings
[PDFBOX-3911] - Handle new line characters in single line text fields
[PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
[PDFBOX-3927] - Support optional content in annotations
[PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
[PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
[PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
[PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
Task
[PDFBOX-3584] - Build and test PDFBox with JDK9
[PDFBOX-3873] - Fix text comparison in PDFontTest
[PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
[PDFBOX-3974] - Add more parsing regression tests
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.
The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/pdfbox/KEYS.
About Apache PDFBox
-------------------
Apache PDFBox is an open source Java library for working with PDF documents.
This project allows creation of new PDF documents, manipulation of existing
documents and the ability to extract content from documents. Apache PDFBox
also includes several command line utilities. Apache PDFBox is published
under the Apache License, Version 2.0.
For more information, visit http://pdfbox.apache.org/
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 100 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 2,500+ contributors.
For more information, visit http://www.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
