Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency org.apache.pdfbox:pdfbox, leading to CVE problem #241

Closed
CVEDetect opened this issue Aug 30, 2021 · 3 comments
Closed

Dependency org.apache.pdfbox:pdfbox, leading to CVE problem #241

CVEDetect opened this issue Aug 30, 2021 · 3 comments
Milestone
1.7.0

Comments

@CVEDetect
Copy link

Hi, In boxable,there is a dependency org.apache.pdfbox:pdfbox:2.0.21 that calls the risk method.

CVE-2021-27807

The scope of this CVE affected version is [2.0.0,2.0.23)

After further analysis, in this project, the main Api called is <org.apache.pdfbox.io.RandomAccessBuffer: int read(byte[],int,int)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

<org.apache.pdfbox.io.RandomAccessBuffer: int read(byte[],int,int)>
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: void extractFromTiff(org.apache.pdfbox.io.RandomAccess,java.io.OutputStream,org.apache.pdfbox.cos.COSDictionary,int)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[493]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromRandomAccessImpl(org.apache.pdfbox.pdmodel.PDDocument,org.apache.pdfbox.io.RandomAccess,int)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[261]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFile(org.apache.pdfbox.pdmodel.PDDocument,java.io.File,int)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[237]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFile(org.apache.pdfbox.pdmodel.PDDocument,java.io.File)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[214]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFileByExtension(java.io.File,org.apache.pdfbox.pdmodel.PDDocument)> (org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject.java:[250]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFile(java.lang.String,org.apache.pdfbox.pdmodel.PDDocument)> (org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject.java:[202]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <be.quodlibet.boxable.AbstractPageTemplate: org.apache.pdfbox.pdmodel.graphics.image.PDImage loadPicture(java.lang.String)> (be.quodlibet.boxable.AbstractPageTemplate.java:[28]) in /detect/unzip/boxable-1.6/target/classes

Another risk method is <org.apache.pdfbox.io.RandomAccessBuffer: int readRemainingBytes(byte[],int,int)>

CVE Bug Invocation Path--

Path Length : 9

<org.apache.pdfbox.io.RandomAccessBuffer: int readRemainingBytes(byte[],int,int)>
at <org.apache.pdfbox.io.RandomAccessBuffer: int read(byte[],int,int)> (org.apache.pdfbox.io.RandomAccessBuffer.java:[248, 251]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: void extractFromTiff(org.apache.pdfbox.io.RandomAccess,java.io.OutputStream,org.apache.pdfbox.cos.COSDictionary,int)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[493]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromRandomAccessImpl(org.apache.pdfbox.pdmodel.PDDocument,org.apache.pdfbox.io.RandomAccess,int)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[261]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFile(org.apache.pdfbox.pdmodel.PDDocument,java.io.File,int)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[237]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFile(org.apache.pdfbox.pdmodel.PDDocument,java.io.File)> (org.apache.pdfbox.pdmodel.graphics.image.CCITTFactory.java:[214]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFileByExtension(java.io.File,org.apache.pdfbox.pdmodel.PDDocument)> (org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject.java:[250]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject: org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject createFromFile(java.lang.String,org.apache.pdfbox.pdmodel.PDDocument)> (org.apache.pdfbox.pdmodel.graphics.image.PDImageXObject.java:[202]) in /.m2/repository/org/apache/pdfbox/pdfbox/2.0.21/pdfbox-2.0.21.jar
at <be.quodlibet.boxable.AbstractPageTemplate: org.apache.pdfbox.pdmodel.graphics.image.PDImage loadPicture(java.lang.String)> (be.quodlibet.boxable.AbstractPageTemplate.java:[28]) in /detect/unzip/boxable-1.6/target/classes

Dependency tree--

[INFO] com.github.dhorions:boxable:jar:1.6
[INFO] +- org.apache.pdfbox:pdfbox:jar:2.0.21:compile
[INFO] |  +- org.apache.pdfbox:fontbox:jar:2.0.21:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.10:compile
[INFO] +- com.google.guava:guava:jar:29.0-android:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-compat-qual:jar:2.5.5:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- org.apache.commons:commons-csv:jar:1.2:compile
[INFO] \- org.jsoup:jsoup:jar:1.9.2:compile

Suggested solutions:

Update dependency version

Thank you very much.
@CVEDetect
Copy link
Author

@dhorions
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.

@johnmanko
Copy link
Collaborator

According to Apache:

CVE-2021-31811, CVE-2021-31812 OutOfMemory and infinite loop
2021-06-11

CVE-2021-31811: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file

CVE-2021-31812: A carefully crafted PDF file can trigger an infinite loop while loading the file

Versions Affected: Apache PDFBox <= 2.0.23

Mitigation: Upgrade to Apache PDFBox 2.0.24

johnmanko added a commit to johnmanko/boxable that referenced this issue Dec 11, 2021
@johnmanko
fix: dhorions#241
bebac89
This was referenced Dec 11, 2021
Closed
Open
johnmanko added a commit that referenced this issue Jun 5, 2022
@johnmanko
fix: #233, #236, #239, #241, #246 and update all other dependencies
943e453
@johnmanko
Copy link
Collaborator

Fixed with 943e453

@johnmanko johnmanko added this to the 1.7.0 milestone Jun 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7.0
Development

No branches or pull requests
2 participants
@johnmanko @CVEDetect