Bug 1597490 (CVE-2018-8036)

Summary: CVE-2018-8036 pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, aileenc, alazarot, anstephe, bkearney, chazlett, drieden, etirelli, ggainey, gvarsami, ibek, java-sig-commits, jcoleman, jolee, jschatte, jstastny, kconner, krathod, kverlaen, ldimaggi, lpetrovi, meissner, nwallace, paradhya, puntogil, rrajasek, rsynek, rwagner, rzhang, sdaley, tcunning, tkirby, tlestach, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pdfbox 1.8.15, pdfbox 2.0.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:31:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1597491    
Bug Blocks: 1597492    

Description Sam Fowler 2018-07-03 04:52:22 UTC 
PDFBox before versions 1.8.15 and 2.0.11 has an infinitre loop in AFMParser.java. An attacker could exploit this to cause an out of memory error via a crafted PDF.


External Reference:

http://www.openwall.com/lists/oss-security/2018/06/29/1


Upstream Release Notes:

https://www.apache.org/dist/pdfbox/2.0.11/RELEASE-NOTES.txt
https://www.apache.org/dist/pdfbox/1.8.15/RELEASE-NOTES.txt


Upstream Issue:

https://issues.apache.org/jira/projects/PDFBOX/issues/PDFBOX-4251


Upstream Patches:

http://svn.apache.org/viewvc/pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834048&r1=1834047&r2=1834048&view=diff
http://svn.apache.org/viewvc/pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834046&r1=1834045&r2=1834046&view=diff
http://svn.apache.org/viewvc/pdfbox/branches/1.8/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834047&r1=1834046&r2=1834047&view=diff
Comment 1 Sam Fowler 2018-07-03 04:52:57 UTC 
Created pdfbox tracking bugs for this issue:

Affects: fedora-all [bug 1597491]
Comment 3 Hooman Broujerdi 2018-07-31 05:36:00 UTC 
Statement:

While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.
Comment 5 errata-xmlrpc 2018-09-11 07:57:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669