You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by Andreas Lehmkuehler <an...@lehmi.de> on 2017/11/03 06:19:51 UTC
[ANNOUNCE] Apache PDFBox 2.0.8 released
The Apache PDFBox community is pleased to announce the release of
Apache PDFBox version 2.0.8. The release is available for download at:
http://pdfbox.apache.org/download.cgi
See the full release notes below for details about this release.
Release Notes -- Apache PDFBox -- Version 2.0.8
Introduction
------------
The Apache PDFBox library is an open source Java tool for working with PDF
documents.
This is an incremental bugfix release based on the earlier 2.0.7 release. It
contains
a couple of fixes and small improvements.
For more details on these changes and all the other fixes and improvements
included in this release, please refer to the following issues on the
PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
Bug
[PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to
wrong object: 173:0
[PDFBOX-3639] - FDF does not parse: Missing root object specification in trailer.
[PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
[PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
[PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE"
[PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back"
exception for the attached file
[PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
[PDFBOX-3896] - UnsupportedOperationException
[PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
[PDFBOX-3909] - End of inline image not detected
[PDFBOX-3913] - Japanese URI improperly decoded
[PDFBOX-3914] - LayerUtility ignores OCProperties on import
[PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
[PDFBOX-3919] - Infinite loop while parsing (2)
[PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
[PDFBOX-3925] - QUADDING constants no longer public
[PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated file
[PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float
[PDFBOX-3930] - replace deprecated TBSCertificateStructure
[PDFBOX-3932] - Image with predictor 15 not rendered correctly
[PDFBOX-3934] - Page missing
[PDFBOX-3935] - DataFormatException: invalid stored block lengths
[PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
file (2)
[PDFBOX-3937] - NPE in PDCIDFontType2 constructor
[PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
[PDFBOX-3942] - ClassCastException in getOptionalContentGroups
[PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
[PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
[PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
[PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
[PDFBOX-3949] - NPE in bfSearchForObjStreams
[PDFBOX-3950] - NPE in PageIterator.enqueueKids
[PDFBOX-3955] - new -- very slow processing on truncated PDF
[PDFBOX-3957] - Pages lost
[PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
[PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated file
[PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
[PDFBOX-3965] - Truetype Font glyphs not rendered
[PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
[PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
[PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page destination
[PDFBOX-3976] - NPE in bfSearchForTrailer
[PDFBOX-3977] - /Info dictionary no longer available
[PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
[PDFBOX-3979] - NullPointerException on
Type1Parser.readCharStrings(Type1Parser.java:713)
Improvement
[PDFBOX-3878] - Improve and refactor RemoveAllText example
[PDFBOX-3890] - The operator Tz is not available when creating new PDF using
PDPageContentStream
[PDFBOX-3897] - Avoid sRGB self-conversions
[PDFBOX-3900] - Optimize PDSeparation for shadings
[PDFBOX-3911] - Handle new line characters in single line text fields
[PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
[PDFBOX-3927] - Support optional content in annotations
[PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
[PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
[PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
[PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
Task
[PDFBOX-3584] - Build and test PDFBox with JDK9
[PDFBOX-3873] - Fix text comparison in PDFontTest
[PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
[PDFBOX-3974] - Add more parsing regression tests
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.
The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/pdfbox/KEYS.
About Apache PDFBox
-------------------
Apache PDFBox is an open source Java library for working with PDF documents.
This project allows creation of new PDF documents, manipulation of existing
documents and the ability to extract content from documents. Apache PDFBox
also includes several command line utilities. Apache PDFBox is published
under the Apache License, Version 2.0.
For more information, visit http://pdfbox.apache.org/
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 100 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 2,500+ contributors.
For more information, visit http://www.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: [ANNOUNCE] Apache PDFBox 2.0.8 released
Posted by Tilman Hausherr <TH...@t-online.de>.
I'd reluctantly agree on the first one (PDFBOX-3919, although this is a
6 year old risk). But not on any issues with NPE or CCE. I think I've
fixed 10-20 of such in each version. Many of them as part of code
cleanup, only a few from user reports. Doing a CVE for each of them
would mean days of work. And such an exception wouldn't hurt the system.
Tomcat doesn't crash when a servlet breaks. Other tools could simply
catch the throwable. OTOH an endless loop is more evil, the system would
slowly die or block.
I need to read this and collect the information needed.
https://www.apache.org/security/committers.html
Tilman
Am 06.11.2017 um 16:34 schrieb davidedillard@gmail.com:
> Hi,
>
> A vulnerability is anything that an attacker could do that affects the confidentiality, integrity or availability of the application, commonly known as CIA (see https://en.wikipedia.org/wiki/Information_security#Key_concepts).
>
> An infinite loop is a denial of service (affecting availability) as the thread is looping instead of returning and being responsive. Here's one example: https://nvd.nist.gov/vuln/detail/CVE-2016-4008 Just google "cve infinite loop" and you'll see many others. Similarly, crashes caused by attacker provided input are a denial of service as well (keep in mind that an attacker can be a legitimate user).
>
> A CNA is a CVE numbering authority, they are authorized to manage the publication of CVEs into a centralized database of vulnerabilities (CVEs are a way of uniquely identifying vulnerabilities). See https://cve.mitre.org/cve/request_id.html#cna_coverage and https://www.apache.org/security/
>
>
> Regards,
>
> David
>
>
> On 2017-11-03 14:59, Tilman Hausherr <TH...@t-online.de> wrote:
>> Am 03.11.2017 um 18:28 schrieb davidedillard@gmail.com:
>>> Hi,
>>>
>>> At least three of these issues appear to be vulnerabilities (probably more), any chance of getting CVEs assigned to them? Apache is a CNA now so I'd think it wouldn't be too much trouble.
>>>
>>> The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and PDFBOX-3976.
>> What's your definition of "vulnerability"? The first is an endless loop,
>> the other two are NPEs. And what is a "CNA"?
>>
>> Tilman
>>
>>
>>>
>>> Thanks,
>>>
>>> David
>>>
>>>
>>> On 2017-11-03 02:19, Andreas Lehmkuehler <an...@lehmi.de> wrote:
>>>> The Apache PDFBox community is pleased to announce the release of
>>>> Apache PDFBox version 2.0.8. The release is available for download at:
>>>>
>>>> http://pdfbox.apache.org/download.cgi
>>>>
>>>> See the full release notes below for details about this release.
>>>>
>>>> Release Notes -- Apache PDFBox -- Version 2.0.8
>>>>
>>>> Introduction
>>>> ------------
>>>>
>>>> The Apache PDFBox library is an open source Java tool for working with PDF
>>>> documents.
>>>>
>>>> This is an incremental bugfix release based on the earlier 2.0.7 release. It
>>>> contains
>>>> a couple of fixes and small improvements.
>>>>
>>>> For more details on these changes and all the other fixes and improvements
>>>> included in this release, please refer to the following issues on the
>>>> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
>>>>
>>>> Bug
>>>>
>>>> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to
>>>> wrong object: 173:0
>>>> [PDFBOX-3639] - FDF does not parse: Missing root object specification in trailer.
>>>> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
>>>> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
>>>> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE"
>>>> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back"
>>>> exception for the attached file
>>>> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
>>>> [PDFBOX-3896] - UnsupportedOperationException
>>>> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
>>>> [PDFBOX-3909] - End of inline image not detected
>>>> [PDFBOX-3913] - Japanese URI improperly decoded
>>>> [PDFBOX-3914] - LayerUtility ignores OCProperties on import
>>>> [PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
>>>> [PDFBOX-3919] - Infinite loop while parsing (2)
>>>> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
>>>> [PDFBOX-3925] - QUADDING constants no longer public
>>>> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated file
>>>> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float
>>>> [PDFBOX-3930] - replace deprecated TBSCertificateStructure
>>>> [PDFBOX-3932] - Image with predictor 15 not rendered correctly
>>>> [PDFBOX-3934] - Page missing
>>>> [PDFBOX-3935] - DataFormatException: invalid stored block lengths
>>>> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
>>>> file (2)
>>>> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor
>>>> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
>>>> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups
>>>> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
>>>> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
>>>> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
>>>> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
>>>> [PDFBOX-3949] - NPE in bfSearchForObjStreams
>>>> [PDFBOX-3950] - NPE in PageIterator.enqueueKids
>>>> [PDFBOX-3955] - new -- very slow processing on truncated PDF
>>>> [PDFBOX-3957] - Pages lost
>>>> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
>>>> [PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated file
>>>> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
>>>> [PDFBOX-3965] - Truetype Font glyphs not rendered
>>>> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
>>>> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
>>>> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page destination
>>>> [PDFBOX-3976] - NPE in bfSearchForTrailer
>>>> [PDFBOX-3977] - /Info dictionary no longer available
>>>> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
>>>> [PDFBOX-3979] - NullPointerException on
>>>> Type1Parser.readCharStrings(Type1Parser.java:713)
>>>>
>>>> Improvement
>>>>
>>>> [PDFBOX-3878] - Improve and refactor RemoveAllText example
>>>> [PDFBOX-3890] - The operator Tz is not available when creating new PDF using
>>>> PDPageContentStream
>>>> [PDFBOX-3897] - Avoid sRGB self-conversions
>>>> [PDFBOX-3900] - Optimize PDSeparation for shadings
>>>> [PDFBOX-3911] - Handle new line characters in single line text fields
>>>> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
>>>> [PDFBOX-3927] - Support optional content in annotations
>>>> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
>>>> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
>>>> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
>>>> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
>>>>
>>>> Task
>>>>
>>>> [PDFBOX-3584] - Build and test PDFBox with JDK9
>>>> [PDFBOX-3873] - Fix text comparison in PDFontTest
>>>> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
>>>> [PDFBOX-3974] - Add more parsing regression tests
>>>>
>>>> Release Contents
>>>> ----------------
>>>>
>>>> This release consists of a single source archive packaged as a zip file.
>>>> The archive can be unpacked with the jar tool from your JDK installation.
>>>> See the README.txt file for instructions on how to build this release.
>>>>
>>>> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
>>>> signature that you can use to verify the authenticity of your download.
>>>> The public key used for the PGP signature can be found at
>>>> https://svn.apache.org/repos/asf/pdfbox/KEYS.
>>>>
>>>> About Apache PDFBox
>>>> -------------------
>>>>
>>>> Apache PDFBox is an open source Java library for working with PDF documents.
>>>> This project allows creation of new PDF documents, manipulation of existing
>>>> documents and the ability to extract content from documents. Apache PDFBox
>>>> also includes several command line utilities. Apache PDFBox is published
>>>> under the Apache License, Version 2.0.
>>>>
>>>> For more information, visit http://pdfbox.apache.org/
>>>>
>>>> About The Apache Software Foundation
>>>> ------------------------------------
>>>>
>>>> Established in 1999, The Apache Software Foundation provides organizational,
>>>> legal, and financial support for more than 100 freely-available,
>>>> collaboratively-developed Open Source projects. The pragmatic Apache License
>>>> enables individual and commercial users to easily deploy Apache software;
>>>> the Foundation's intellectual property framework limits the legal exposure
>>>> of its 2,500+ contributors.
>>>>
>>>> For more information, visit http://www.apache.org/
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: [ANNOUNCE] Apache PDFBox 2.0.8 released
Posted by "davidedillard@gmail.com" <da...@gmail.com>.
Hi,
A vulnerability is anything that an attacker could do that affects the confidentiality, integrity or availability of the application, commonly known as CIA (see https://en.wikipedia.org/wiki/Information_security#Key_concepts).
An infinite loop is a denial of service (affecting availability) as the thread is looping instead of returning and being responsive. Here's one example: https://nvd.nist.gov/vuln/detail/CVE-2016-4008 Just google "cve infinite loop" and you'll see many others. Similarly, crashes caused by attacker provided input are a denial of service as well (keep in mind that an attacker can be a legitimate user).
A CNA is a CVE numbering authority, they are authorized to manage the publication of CVEs into a centralized database of vulnerabilities (CVEs are a way of uniquely identifying vulnerabilities). See https://cve.mitre.org/cve/request_id.html#cna_coverage and https://www.apache.org/security/
Regards,
David
On 2017-11-03 14:59, Tilman Hausherr <TH...@t-online.de> wrote:
> Am 03.11.2017 um 18:28 schrieb davidedillard@gmail.com:
> > Hi,
> >
> > At least three of these issues appear to be vulnerabilities (probably more), any chance of getting CVEs assigned to them? Apache is a CNA now so I'd think it wouldn't be too much trouble.
> >
> > The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and PDFBOX-3976.
>
> What's your definition of "vulnerability"? The first is an endless loop,
> the other two are NPEs. And what is a "CNA"?
>
> Tilman
>
>
> >
> >
> > Thanks,
> >
> > David
> >
> >
> > On 2017-11-03 02:19, Andreas Lehmkuehler <an...@lehmi.de> wrote:
> >> The Apache PDFBox community is pleased to announce the release of
> >> Apache PDFBox version 2.0.8. The release is available for download at:
> >>
> >> http://pdfbox.apache.org/download.cgi
> >>
> >> See the full release notes below for details about this release.
> >>
> >> Release Notes -- Apache PDFBox -- Version 2.0.8
> >>
> >> Introduction
> >> ------------
> >>
> >> The Apache PDFBox library is an open source Java tool for working with PDF
> >> documents.
> >>
> >> This is an incremental bugfix release based on the earlier 2.0.7 release. It
> >> contains
> >> a couple of fixes and small improvements.
> >>
> >> For more details on these changes and all the other fixes and improvements
> >> included in this release, please refer to the following issues on the
> >> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
> >>
> >> Bug
> >>
> >> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to
> >> wrong object: 173:0
> >> [PDFBOX-3639] - FDF does not parse: Missing root object specification in trailer.
> >> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
> >> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
> >> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE"
> >> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back"
> >> exception for the attached file
> >> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
> >> [PDFBOX-3896] - UnsupportedOperationException
> >> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
> >> [PDFBOX-3909] - End of inline image not detected
> >> [PDFBOX-3913] - Japanese URI improperly decoded
> >> [PDFBOX-3914] - LayerUtility ignores OCProperties on import
> >> [PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
> >> [PDFBOX-3919] - Infinite loop while parsing (2)
> >> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
> >> [PDFBOX-3925] - QUADDING constants no longer public
> >> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated file
> >> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float
> >> [PDFBOX-3930] - replace deprecated TBSCertificateStructure
> >> [PDFBOX-3932] - Image with predictor 15 not rendered correctly
> >> [PDFBOX-3934] - Page missing
> >> [PDFBOX-3935] - DataFormatException: invalid stored block lengths
> >> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
> >> file (2)
> >> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor
> >> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
> >> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups
> >> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
> >> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
> >> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
> >> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
> >> [PDFBOX-3949] - NPE in bfSearchForObjStreams
> >> [PDFBOX-3950] - NPE in PageIterator.enqueueKids
> >> [PDFBOX-3955] - new -- very slow processing on truncated PDF
> >> [PDFBOX-3957] - Pages lost
> >> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
> >> [PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated file
> >> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
> >> [PDFBOX-3965] - Truetype Font glyphs not rendered
> >> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
> >> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
> >> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page destination
> >> [PDFBOX-3976] - NPE in bfSearchForTrailer
> >> [PDFBOX-3977] - /Info dictionary no longer available
> >> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
> >> [PDFBOX-3979] - NullPointerException on
> >> Type1Parser.readCharStrings(Type1Parser.java:713)
> >>
> >> Improvement
> >>
> >> [PDFBOX-3878] - Improve and refactor RemoveAllText example
> >> [PDFBOX-3890] - The operator Tz is not available when creating new PDF using
> >> PDPageContentStream
> >> [PDFBOX-3897] - Avoid sRGB self-conversions
> >> [PDFBOX-3900] - Optimize PDSeparation for shadings
> >> [PDFBOX-3911] - Handle new line characters in single line text fields
> >> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
> >> [PDFBOX-3927] - Support optional content in annotations
> >> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
> >> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
> >> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
> >> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
> >>
> >> Task
> >>
> >> [PDFBOX-3584] - Build and test PDFBox with JDK9
> >> [PDFBOX-3873] - Fix text comparison in PDFontTest
> >> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
> >> [PDFBOX-3974] - Add more parsing regression tests
> >>
> >> Release Contents
> >> ----------------
> >>
> >> This release consists of a single source archive packaged as a zip file.
> >> The archive can be unpacked with the jar tool from your JDK installation.
> >> See the README.txt file for instructions on how to build this release.
> >>
> >> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
> >> signature that you can use to verify the authenticity of your download.
> >> The public key used for the PGP signature can be found at
> >> https://svn.apache.org/repos/asf/pdfbox/KEYS.
> >>
> >> About Apache PDFBox
> >> -------------------
> >>
> >> Apache PDFBox is an open source Java library for working with PDF documents.
> >> This project allows creation of new PDF documents, manipulation of existing
> >> documents and the ability to extract content from documents. Apache PDFBox
> >> also includes several command line utilities. Apache PDFBox is published
> >> under the Apache License, Version 2.0.
> >>
> >> For more information, visit http://pdfbox.apache.org/
> >>
> >> About The Apache Software Foundation
> >> ------------------------------------
> >>
> >> Established in 1999, The Apache Software Foundation provides organizational,
> >> legal, and financial support for more than 100 freely-available,
> >> collaboratively-developed Open Source projects. The pragmatic Apache License
> >> enables individual and commercial users to easily deploy Apache software;
> >> the Foundation's intellectual property framework limits the legal exposure
> >> of its 2,500+ contributors.
> >>
> >> For more information, visit http://www.apache.org/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> >> For additional commands, e-mail: users-help@pdfbox.apache.org
> >>
> >>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> > For additional commands, e-mail: users-help@pdfbox.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: [ANNOUNCE] Apache PDFBox 2.0.8 released
Posted by Tilman Hausherr <TH...@t-online.de>.
Am 03.11.2017 um 18:28 schrieb davidedillard@gmail.com:
> Hi,
>
> At least three of these issues appear to be vulnerabilities (probably more), any chance of getting CVEs assigned to them? Apache is a CNA now so I'd think it wouldn't be too much trouble.
>
> The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and PDFBOX-3976.
What's your definition of "vulnerability"? The first is an endless loop,
the other two are NPEs. And what is a "CNA"?
Tilman
>
>
> Thanks,
>
> David
>
>
> On 2017-11-03 02:19, Andreas Lehmkuehler <an...@lehmi.de> wrote:
>> The Apache PDFBox community is pleased to announce the release of
>> Apache PDFBox version 2.0.8. The release is available for download at:
>>
>> http://pdfbox.apache.org/download.cgi
>>
>> See the full release notes below for details about this release.
>>
>> Release Notes -- Apache PDFBox -- Version 2.0.8
>>
>> Introduction
>> ------------
>>
>> The Apache PDFBox library is an open source Java tool for working with PDF
>> documents.
>>
>> This is an incremental bugfix release based on the earlier 2.0.7 release. It
>> contains
>> a couple of fixes and small improvements.
>>
>> For more details on these changes and all the other fixes and improvements
>> included in this release, please refer to the following issues on the
>> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
>>
>> Bug
>>
>> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to
>> wrong object: 173:0
>> [PDFBOX-3639] - FDF does not parse: Missing root object specification in trailer.
>> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
>> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
>> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE"
>> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back"
>> exception for the attached file
>> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
>> [PDFBOX-3896] - UnsupportedOperationException
>> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
>> [PDFBOX-3909] - End of inline image not detected
>> [PDFBOX-3913] - Japanese URI improperly decoded
>> [PDFBOX-3914] - LayerUtility ignores OCProperties on import
>> [PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
>> [PDFBOX-3919] - Infinite loop while parsing (2)
>> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
>> [PDFBOX-3925] - QUADDING constants no longer public
>> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated file
>> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float
>> [PDFBOX-3930] - replace deprecated TBSCertificateStructure
>> [PDFBOX-3932] - Image with predictor 15 not rendered correctly
>> [PDFBOX-3934] - Page missing
>> [PDFBOX-3935] - DataFormatException: invalid stored block lengths
>> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
>> file (2)
>> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor
>> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
>> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups
>> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
>> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
>> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
>> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
>> [PDFBOX-3949] - NPE in bfSearchForObjStreams
>> [PDFBOX-3950] - NPE in PageIterator.enqueueKids
>> [PDFBOX-3955] - new -- very slow processing on truncated PDF
>> [PDFBOX-3957] - Pages lost
>> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
>> [PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated file
>> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
>> [PDFBOX-3965] - Truetype Font glyphs not rendered
>> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
>> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
>> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page destination
>> [PDFBOX-3976] - NPE in bfSearchForTrailer
>> [PDFBOX-3977] - /Info dictionary no longer available
>> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
>> [PDFBOX-3979] - NullPointerException on
>> Type1Parser.readCharStrings(Type1Parser.java:713)
>>
>> Improvement
>>
>> [PDFBOX-3878] - Improve and refactor RemoveAllText example
>> [PDFBOX-3890] - The operator Tz is not available when creating new PDF using
>> PDPageContentStream
>> [PDFBOX-3897] - Avoid sRGB self-conversions
>> [PDFBOX-3900] - Optimize PDSeparation for shadings
>> [PDFBOX-3911] - Handle new line characters in single line text fields
>> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
>> [PDFBOX-3927] - Support optional content in annotations
>> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
>> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
>> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
>> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
>>
>> Task
>>
>> [PDFBOX-3584] - Build and test PDFBox with JDK9
>> [PDFBOX-3873] - Fix text comparison in PDFontTest
>> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
>> [PDFBOX-3974] - Add more parsing regression tests
>>
>> Release Contents
>> ----------------
>>
>> This release consists of a single source archive packaged as a zip file.
>> The archive can be unpacked with the jar tool from your JDK installation.
>> See the README.txt file for instructions on how to build this release.
>>
>> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
>> signature that you can use to verify the authenticity of your download.
>> The public key used for the PGP signature can be found at
>> https://svn.apache.org/repos/asf/pdfbox/KEYS.
>>
>> About Apache PDFBox
>> -------------------
>>
>> Apache PDFBox is an open source Java library for working with PDF documents.
>> This project allows creation of new PDF documents, manipulation of existing
>> documents and the ability to extract content from documents. Apache PDFBox
>> also includes several command line utilities. Apache PDFBox is published
>> under the Apache License, Version 2.0.
>>
>> For more information, visit http://pdfbox.apache.org/
>>
>> About The Apache Software Foundation
>> ------------------------------------
>>
>> Established in 1999, The Apache Software Foundation provides organizational,
>> legal, and financial support for more than 100 freely-available,
>> collaboratively-developed Open Source projects. The pragmatic Apache License
>> enables individual and commercial users to easily deploy Apache software;
>> the Foundation's intellectual property framework limits the legal exposure
>> of its 2,500+ contributors.
>>
>> For more information, visit http://www.apache.org/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: [ANNOUNCE] Apache PDFBox 2.0.8 released
Posted by "davidedillard@gmail.com" <da...@gmail.com>.
Hi,
At least three of these issues appear to be vulnerabilities (probably more), any chance of getting CVEs assigned to them? Apache is a CNA now so I'd think it wouldn't be too much trouble.
The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and PDFBOX-3976.
Thanks,
David
On 2017-11-03 02:19, Andreas Lehmkuehler <an...@lehmi.de> wrote:
> The Apache PDFBox community is pleased to announce the release of
> Apache PDFBox version 2.0.8. The release is available for download at:
>
> http://pdfbox.apache.org/download.cgi
>
> See the full release notes below for details about this release.
>
> Release Notes -- Apache PDFBox -- Version 2.0.8
>
> Introduction
> ------------
>
> The Apache PDFBox library is an open source Java tool for working with PDF
> documents.
>
> This is an incremental bugfix release based on the earlier 2.0.7 release. It
> contains
> a couple of fixes and small improvements.
>
> For more details on these changes and all the other fixes and improvements
> included in this release, please refer to the following issues on the
> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX.
>
> Bug
>
> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points to
> wrong object: 173:0
> [PDFBOX-3639] - FDF does not parse: Missing root object specification in trailer.
> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font
> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields
> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL TILDE"
> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far back"
> exception for the attached file
> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode
> [PDFBOX-3896] - UnsupportedOperationException
> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids
> [PDFBOX-3909] - End of inline image not detected
> [PDFBOX-3913] - Japanese URI improperly decoded
> [PDFBOX-3914] - LayerUtility ignores OCProperties on import
> [PDFBOX-3916] - NPE on org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding
> [PDFBOX-3919] - Infinite loop while parsing (2)
> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref'
> [PDFBOX-3925] - QUADDING constants no longer public
> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with truncated file
> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when float
> [PDFBOX-3930] - replace deprecated TBSCertificateStructure
> [PDFBOX-3932] - Image with predictor 15 not rendered correctly
> [PDFBOX-3934] - Page missing
> [PDFBOX-3935] - DataFormatException: invalid stored block lengths
> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with truncated
> file (2)
> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor
> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT
> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups
> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists
> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist
> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams
> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams
> [PDFBOX-3949] - NPE in bfSearchForObjStreams
> [PDFBOX-3950] - NPE in PageIterator.enqueueKids
> [PDFBOX-3955] - new -- very slow processing on truncated PDF
> [PDFBOX-3957] - Pages lost
> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded
> [PDFBOX-3959] - DataFormatException: invalid code lengths set with truncated file
> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements()
> [PDFBOX-3965] - Truetype Font glyphs not rendered
> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1
> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly
> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page destination
> [PDFBOX-3976] - NPE in bfSearchForTrailer
> [PDFBOX-3977] - /Info dictionary no longer available
> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning
> [PDFBOX-3979] - NullPointerException on
> Type1Parser.readCharStrings(Type1Parser.java:713)
>
> Improvement
>
> [PDFBOX-3878] - Improve and refactor RemoveAllText example
> [PDFBOX-3890] - The operator Tz is not available when creating new PDF using
> PDPageContentStream
> [PDFBOX-3897] - Avoid sRGB self-conversions
> [PDFBOX-3900] - Optimize PDSeparation for shadings
> [PDFBOX-3911] - Handle new line characters in single line text fields
> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible
> [PDFBOX-3927] - Support optional content in annotations
> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary
> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field
> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter
> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0
>
> Task
>
> [PDFBOX-3584] - Build and test PDFBox with JDK9
> [PDFBOX-3873] - Fix text comparison in PDFontTest
> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk
> [PDFBOX-3974] - Add more parsing regression tests
>
> Release Contents
> ----------------
>
> This release consists of a single source archive packaged as a zip file.
> The archive can be unpacked with the jar tool from your JDK installation.
> See the README.txt file for instructions on how to build this release.
>
> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
> signature that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/pdfbox/KEYS.
>
> About Apache PDFBox
> -------------------
>
> Apache PDFBox is an open source Java library for working with PDF documents.
> This project allows creation of new PDF documents, manipulation of existing
> documents and the ability to extract content from documents. Apache PDFBox
> also includes several command line utilities. Apache PDFBox is published
> under the Apache License, Version 2.0.
>
> For more information, visit http://pdfbox.apache.org/
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides organizational,
> legal, and financial support for more than 100 freely-available,
> collaboratively-developed Open Source projects. The pragmatic Apache License
> enables individual and commercial users to easily deploy Apache software;
> the Foundation's intellectual property framework limits the legal exposure
> of its 2,500+ contributors.
>
> For more information, visit http://www.apache.org/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org