Bug#988753: unblock: libpdfbox2-java/2.0.23-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988753: unblock: libpdfbox2-java/2.0.23-1
From: tony mancill <tmancill@debian.org>
Date: Tue, 18 May 2021 21:06:21 -0700
Message-id: <[🔎] YKSOveE3urjJz8ux@lark>
Reply-to: tony mancill <tmancill@debian.org>, 988753@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libpdfbox2-java

[ Reason ]

This unblock request addresses these two CVEs in the libpdfbox2-java
package:

CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file.
CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file.

More context on the bug is available in [1].  I recognize that this is a
new upstream release.  When investigating the bug, I was unable to
isolate a targeted set of upstream commits to address only the CVE.
Thus I believe uploading a new upstream patch release is less risk than
attempting to identify and backport the code changes solely related to
the security vulnerabilities.

The Security Team also suggested the unblock request for bullseye [2].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986006  
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986006#24

[ Risks ]

I have reviewed the source diff and believe it to be suitable.  Most of
the changes in the point release are code-smithing:

- spelling errors
- eliminating 0 bit shifts
- adding try/catch blocks
- adding null checks (and also removing them when not needed)
- initializing lists with estimated sizes (performance improvement)
- whitespace and formatting
- examples (nearly 10% of the diff) and documentation

I am not aware of an alternative to libpdfbox2-java.  I believe pdfsam
is the most popular package in the reverse dependency graph.  The
following is from apt-cache rdepends ${pkg}: 

libpdfbox2-java
Reverse Depends:
  libpdfbox2-java-doc
  libtika-java

libtika-java
Reverse Depends:
  libmetadata-extractor-java
  libvorbis-java
  libpantomime-clojure

libpantomime-clojure
Reverse Depends:
  puppetdb

libmetadata-extractor-java
Reverse Depends:
  libsejda-java
  libtika-java

libsejda-java
Reverse Depends:
  pdfsam


[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

My apologies for submitting a request with such a large diff.  Thank you
for considering the request.

Cheers,
tony

unblock libpdfbox2-java/2.0.23-1

Attachment: libpdfbox2-java_2.0.22-1_vs_2.0.23-1.dsc.debdiff.gz
Description: application/gzip

Attachment: libpdfbox2-java_2.0.22-1_vs_2.0.23-1_amd64.changes.debdiff.gz
Description: application/gzip

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#988753: marked as done (unblock: libpdfbox2-java/2.0.23-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#988398: unblock: aprx/2.9.0+dfsg-3
Next by Date: Bug#988758: unblock: node-es6-shim/0.35.6+ds-2
Previous by thread: Bug#988746: RM: jodd/3.8.6-1.1
Next by thread: Bug#988753: marked as done (unblock: libpdfbox2-java/2.0.23-1)
Index(es):
- Date
- Thread