Tony Mancill pushed to branch master at Debian Java Maintainers / libitext5-java
Commits: 8826f321 by tony mancill at 2023-12-22T20:40:33-08:00 Patch for infinite loop in PDF traversal CVE-2021-37819 (Closes: #1059320) - - - - - 73e22cea by tony mancill at 2023-12-22T20:44:31-08:00 Prepare changelog for upload - - - - - 3 changed files: - debian/changelog - + debian/patches/0011-CVE-2021-37819.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,11 @@ +libitext5-java (5.5.13.3-4) unstable; urgency=medium + + * Team upload. + * Patch for infinite loop in PDF traversal (Closes: #1059320) + Addresses CVE-2021-37819 + + -- tony mancill <[email protected]> Fri, 22 Dec 2023 20:42:34 -0800 + libitext5-java (5.5.13.3-3) unstable; urgency=medium [ Andreas Tille ] ===================================== debian/patches/0011-CVE-2021-37819.patch ===================================== @@ -0,0 +1,19 @@ +Description: CVE-2021-37819 infinite loop during PDF page traversal +Origin: https://gitlab.com/pdftk-java/pdftk/-/merge_requests/21/commits +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059320 + +--- a/itext/src/main/java/com/itextpdf/text/pdf/PdfReader.java ++++ b/itext/src/main/java/com/itextpdf/text/pdf/PdfReader.java +@@ -3991,6 +3991,12 @@ + kidsPR.remove(k); + break; + } ++ int rpageObjectNumber = rpage.getNumber(); ++ PRIndirectReference kidObjIndirectRef = (PRIndirectReference)obj; ++ int kidObjectNumber = kidObjIndirectRef.getNumber(); ++ if (rpageObjectNumber == kidObjectNumber) { ++ throw new InvalidPdfException("Invalid reference on Kids: " + kidObjectNumber); ++ } + iteratePages((PRIndirectReference)obj); + } + popPageAttributes(); ===================================== debian/patches/series ===================================== @@ -6,3 +6,4 @@ skip_test_requiring_xserver.patch 0008-Update-CompareToolTests.patch 0009-Fix-OUTFOLDER-so-it-s-separated-from-the-fileName.patch 0010-bouncycastle-177.patch +0011-CVE-2021-37819.patch View it on GitLab: https://salsa.debian.org/java-team/libitext5-java/-/compare/65b04cb718b7594874148e870c96cb2f50d02b99...73e22cea2742f51cc65fbf6c6e942b37f5d37170 -- View it on GitLab: https://salsa.debian.org/java-team/libitext5-java/-/compare/65b04cb718b7594874148e870c96cb2f50d02b99...73e22cea2742f51cc65fbf6c6e942b37f5d37170 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
