Bug 1597490 (CVE-2018-8036)

Summary: CVE-2018-8036 pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, aileenc, alazarot, anstephe, bkearney, chazlett, drieden, etirelli, ggainey, gvarsami, ibek, java-sig-commits, jcoleman, jolee, jschatte, jstastny, kconner, krathod, kverlaen, ldimaggi, lpetrovi, meissner, nwallace, paradhya, puntogil, rrajasek, rsynek, rwagner, rzhang, sdaley, tcunning, tkirby, tlestach, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: pdfbox 1.8.15, pdfbox 2.0.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:31:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1597491    
Bug Blocks: 1597492    

Comment 1 Sam Fowler 2018-07-03 04:52:57 UTC
Created pdfbox tracking bugs for this issue:

Affects: fedora-all [bug 1597491]

Comment 3 Hooman Broujerdi 2018-07-31 05:36:00 UTC

While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.

Comment 5 errata-xmlrpc 2018-09-11 07:57:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669