[jira] [Resolved] (PDFBOX-5798) Observable Timing Discrepancy (Timing Attack)

Tilman Hausherr (Jira) Wed, 03 Apr 2024 07:50:20 -0700


     [ 
https://issues.apache.org/jira/browse/PDFBOX-5798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Tilman Hausherr resolved PDFBOX-5798.
-------------------------------------
    Fix Version/s: 2.0.32
                   4.0.0
                   3.0.3 PDFBox
         Assignee: Tilman Hausherr
       Resolution: Fixed

Thanks, fixed.

> Observable Timing Discrepancy (Timing Attack)
> ---------------------------------------------
>
>                 Key: PDFBOX-5798
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5798
>             Project: PDFBox
>          Issue Type: Bug
>          Components: Crypto
>    Affects Versions: 2.0.31, 3.0.2 PDFBox, 4.0.0
>            Reporter: Simon Steiner
>            Assignee: Tilman Hausherr
>            Priority: Major
>             Fix For: 2.0.32, 4.0.0, 3.0.3 PDFBox
>
>
> A static analyse tool is reporting:
> An attacker can guess the secret value of digest because it is compared using 
> java.util.Arrays.equals, which is vulnerable to timing attacks. Use 
> java.security.MessageDigest.isEqual to compare values securely.
> ‎pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

[jira] [Resolved] (PDFBOX-5798) Observable Timing Discrepancy (Timing Attack)

Reply via email to