Hi, A vulnerability is anything that an attacker could do that affects the confidentiality, integrity or availability of the application, commonly known as CIA (see https://en.wikipedia.org/wiki/Information_security#Key_concepts).
An infinite loop is a denial of service (affecting availability) as the thread is looping instead of returning and being responsive. Here's one example: https://nvd.nist.gov/vuln/detail/CVE-2016-4008 Just google "cve infinite loop" and you'll see many others. Similarly, crashes caused by attacker provided input are a denial of service as well (keep in mind that an attacker can be a legitimate user). A CNA is a CVE numbering authority, they are authorized to manage the publication of CVEs into a centralized database of vulnerabilities (CVEs are a way of uniquely identifying vulnerabilities). See https://cve.mitre.org/cve/request_id.html#cna_coverage and https://www.apache.org/security/ Regards, David On 2017-11-03 14:59, Tilman Hausherr <[email protected]> wrote: > Am 03.11.2017 um 18:28 schrieb [email protected]: > > Hi, > > > > At least three of these issues appear to be vulnerabilities (probably > > more), any chance of getting CVEs assigned to them? Apache is a CNA now so > > I'd think it wouldn't be too much trouble. > > > > The issues I see as being vulnerabilities are PDFBOX-3919, PDFBOX-3949 and > > PDFBOX-3976. > > What's your definition of "vulnerability"? The first is an endless loop, > the other two are NPEs. And what is a "CNA"? > > Tilman > > > > > > > > Thanks, > > > > David > > > > > > On 2017-11-03 02:19, Andreas Lehmkuehler <[email protected]> wrote: > >> The Apache PDFBox community is pleased to announce the release of > >> Apache PDFBox version 2.0.8. The release is available for download at: > >> > >> http://pdfbox.apache.org/download.cgi > >> > >> See the full release notes below for details about this release. > >> > >> Release Notes -- Apache PDFBox -- Version 2.0.8 > >> > >> Introduction > >> ------------ > >> > >> The Apache PDFBox library is an open source Java tool for working with PDF > >> documents. > >> > >> This is an incremental bugfix release based on the earlier 2.0.7 release. > >> It > >> contains > >> a couple of fixes and small improvements. > >> > >> For more details on these changes and all the other fixes and improvements > >> included in this release, please refer to the following issues on the > >> PDFBox issue tracker at https://issues.apache.org/jira/browse/PDFBOX. > >> > >> Bug > >> > >> [PDFBOX-3424] - Regression from 1.8.10: IOException: XREF for 171:0 points > >> to > >> wrong object: 173:0 > >> [PDFBOX-3639] - FDF does not parse: Missing root object specification in > >> trailer. > >> [PDFBOX-3874] - /Fontinfo instead of /FontInfo in type 1 font > >> [PDFBOX-3881] - Handling of Byte Order Mark with Metadata-Fields > >> [PDFBOX-3884] - GlyphList registers "wrong" Adobe name for "U+02DC SMALL > >> TILDE" > >> [PDFBOX-3887] - Getting a "DataFormatException: invalid distance too far > >> back" > >> exception for the attached file > >> [PDFBOX-3894] - NPE on org.apache.pdfbox.pdmodel.PDPageTree.isPageTreeNode > >> [PDFBOX-3896] - UnsupportedOperationException > >> [PDFBOX-3898] - AcroFields' PDTextField (and others?) can have kids > >> [PDFBOX-3909] - End of inline image not detected > >> [PDFBOX-3913] - Japanese URI improperly decoded > >> [PDFBOX-3914] - LayerUtility ignores OCProperties on import > >> [PDFBOX-3916] - NPE on > >> org.apache.pdfbox.pdmodel.font.PDType0Font.readEncoding > >> [PDFBOX-3919] - Infinite loop while parsing (2) > >> [PDFBOX-3923] - Expected a long type at offset 52152, instead got 'xref' > >> [PDFBOX-3925] - QUADDING constants no longer public > >> [PDFBOX-3928] - IllegalArgumentException: root cannot be null with > >> truncated file > >> [PDFBOX-3929] - Border style dictionary width ignored by Adobe Reader when > >> float > >> [PDFBOX-3930] - replace deprecated TBSCertificateStructure > >> [PDFBOX-3932] - Image with predictor 15 not rendered correctly > >> [PDFBOX-3934] - Page missing > >> [PDFBOX-3935] - DataFormatException: invalid stored block lengths > >> [PDFBOX-3936] - IllegalArgumentException: root cannot be null with > >> truncated > >> file (2) > >> [PDFBOX-3937] - NPE in PDCIDFontType2 constructor > >> [PDFBOX-3940] - Lost metadata in 2.0.8-SNAPSHOT > >> [PDFBOX-3942] - ClassCastException in getOptionalContentGroups > >> [PDFBOX-3943] - /Helv entry in /DR not created if /DR exists > >> [PDFBOX-3946] - NPE in PDActionURI.getURI() if URI doesn't exist > >> [PDFBOX-3947] - ArrayIndexOutOfBoundsException in bfSearchForObjStreams > >> [PDFBOX-3948] - NumberFormatException in bfSearchForObjStreams > >> [PDFBOX-3949] - NPE in bfSearchForObjStreams > >> [PDFBOX-3950] - NPE in PageIterator.enqueueKids > >> [PDFBOX-3955] - new -- very slow processing on truncated PDF > >> [PDFBOX-3957] - Pages lost > >> [PDFBOX-3958] - UTF-16 (BE) URI improperly decoded > >> [PDFBOX-3959] - DataFormatException: invalid code lengths set with > >> truncated file > >> [PDFBOX-3963] - ClassCastException in PDCIDFont.readVerticalDisplacements() > >> [PDFBOX-3965] - Truetype Font glyphs not rendered > >> [PDFBOX-3967] - IllegalArgumentException: Illegal Capacity: -1 > >> [PDFBOX-3969] - Splitting starts counting for cutting out pages wrongly > >> [PDFBOX-3972] - Incorrect page after merge for OpenAction with GoTo page > >> destination > >> [PDFBOX-3976] - NPE in bfSearchForTrailer > >> [PDFBOX-3977] - /Info dictionary no longer available > >> [PDFBOX-3978] - IllegalStateException on saveIncrementalForExternalSigning > >> [PDFBOX-3979] - NullPointerException on > >> Type1Parser.readCharStrings(Type1Parser.java:713) > >> > >> Improvement > >> > >> [PDFBOX-3878] - Improve and refactor RemoveAllText example > >> [PDFBOX-3890] - The operator Tz is not available when creating new PDF > >> using > >> PDPageContentStream > >> [PDFBOX-3897] - Avoid sRGB self-conversions > >> [PDFBOX-3900] - Optimize PDSeparation for shadings > >> [PDFBOX-3911] - Handle new line characters in single line text fields > >> [PDFBOX-3920] - CIDSet should be PDF/A-2b compatible > >> [PDFBOX-3927] - Support optional content in annotations > >> [PDFBOX-3944] - ERROR "Can't read embedded ICC profile" is too scary > >> [PDFBOX-3971] - Add Certificate Dictionary to seed value in signature field > >> [PDFBOX-3982] - [Patch/RFC] Set maximum compression level on FlateFilter > >> [PDFBOX-3983] - [Patch] Don't a allow a miter limit <= 0 > >> > >> Task > >> > >> [PDFBOX-3584] - Build and test PDFBox with JDK9 > >> [PDFBOX-3873] - Fix text comparison in PDFontTest > >> [PDFBOX-3938] - Add test from PDFBOX-2079 to 2.0 and trunk > >> [PDFBOX-3974] - Add more parsing regression tests > >> > >> Release Contents > >> ---------------- > >> > >> This release consists of a single source archive packaged as a zip file. > >> The archive can be unpacked with the jar tool from your JDK installation. > >> See the README.txt file for instructions on how to build this release. > >> > >> The source archive is accompanied by SHA1 and MD5 checksums and a PGP > >> signature that you can use to verify the authenticity of your download. > >> The public key used for the PGP signature can be found at > >> https://svn.apache.org/repos/asf/pdfbox/KEYS. > >> > >> About Apache PDFBox > >> ------------------- > >> > >> Apache PDFBox is an open source Java library for working with PDF > >> documents. > >> This project allows creation of new PDF documents, manipulation of existing > >> documents and the ability to extract content from documents. Apache PDFBox > >> also includes several command line utilities. Apache PDFBox is published > >> under the Apache License, Version 2.0. > >> > >> For more information, visit http://pdfbox.apache.org/ > >> > >> About The Apache Software Foundation > >> ------------------------------------ > >> > >> Established in 1999, The Apache Software Foundation provides > >> organizational, > >> legal, and financial support for more than 100 freely-available, > >> collaboratively-developed Open Source projects. The pragmatic Apache > >> License > >> enables individual and commercial users to easily deploy Apache software; > >> the Foundation's intellectual property framework limits the legal exposure > >> of its 2,500+ contributors. > >> > >> For more information, visit http://www.apache.org/ > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
