Your message dated Wed, 19 May 2021 10:32:01 +0000 with message-id <E1ljJUf-00018C-8p@respighi.debian.org> and subject line unblock libpdfbox2-java has caused the Debian Bug report #988753, regarding unblock: libpdfbox2-java/2.0.23-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988753: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988753 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libpdfbox2-java/2.0.23-1
- From: tony mancill <tmancill@debian.org>
- Date: Tue, 18 May 2021 21:06:21 -0700
- Message-id: <[🔎] YKSOveE3urjJz8ux@lark>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package libpdfbox2-java [ Reason ] This unblock request addresses these two CVEs in the libpdfbox2-java package: CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file. CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. More context on the bug is available in [1]. I recognize that this is a new upstream release. When investigating the bug, I was unable to isolate a targeted set of upstream commits to address only the CVE. Thus I believe uploading a new upstream patch release is less risk than attempting to identify and backport the code changes solely related to the security vulnerabilities. The Security Team also suggested the unblock request for bullseye [2]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986006 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986006#24 [ Risks ] I have reviewed the source diff and believe it to be suitable. Most of the changes in the point release are code-smithing: - spelling errors - eliminating 0 bit shifts - adding try/catch blocks - adding null checks (and also removing them when not needed) - initializing lists with estimated sizes (performance improvement) - whitespace and formatting - examples (nearly 10% of the diff) and documentation I am not aware of an alternative to libpdfbox2-java. I believe pdfsam is the most popular package in the reverse dependency graph. The following is from apt-cache rdepends ${pkg}: libpdfbox2-java Reverse Depends: libpdfbox2-java-doc libtika-java libtika-java Reverse Depends: libmetadata-extractor-java libvorbis-java libpantomime-clojure libpantomime-clojure Reverse Depends: puppetdb libmetadata-extractor-java Reverse Depends: libsejda-java libtika-java libsejda-java Reverse Depends: pdfsam [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] My apologies for submitting a request with such a large diff. Thank you for considering the request. Cheers, tony unblock libpdfbox2-java/2.0.23-1Attachment: libpdfbox2-java_2.0.22-1_vs_2.0.23-1.dsc.debdiff.gz
Description: application/gzipAttachment: libpdfbox2-java_2.0.22-1_vs_2.0.23-1_amd64.changes.debdiff.gz
Description: application/gzipAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 988753-done@bugs.debian.org
- Subject: unblock libpdfbox2-java
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Wed, 19 May 2021 10:32:01 +0000
- Message-id: <E1ljJUf-00018C-8p@respighi.debian.org>
Unblocked.
--- End Message ---