PDFBox before versions 1.8.15 and 2.0.11 has an infinitre loop in AFMParser.java. An attacker could exploit this to cause an out of memory error via a crafted PDF. External Reference: http://www.openwall.com/lists/oss-security/2018/06/29/1 Upstream Release Notes: https://www.apache.org/dist/pdfbox/2.0.11/RELEASE-NOTES.txt https://www.apache.org/dist/pdfbox/1.8.15/RELEASE-NOTES.txt Upstream Issue: https://issues.apache.org/jira/projects/PDFBOX/issues/PDFBOX-4251 Upstream Patches: http://svn.apache.org/viewvc/pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834048&r1=1834047&r2=1834048&view=diff http://svn.apache.org/viewvc/pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834046&r1=1834045&r2=1834046&view=diff http://svn.apache.org/viewvc/pdfbox/branches/1.8/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java?rev=1834047&r1=1834046&r2=1834047&view=diff
Created pdfbox tracking bugs for this issue: Affects: fedora-all [bug 1597491]
Statement: While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669