Upstream has issued an advisory today (May 27): http://www.openwall.com/lists/oss-security/2016/05/27/1 The issue is fixed in PDFBox 1.8.12. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOOCC: (none) => geiger.david68210
Debian-LTS has issued an advisory for this on June 8: http://lwn.net/Alerts/690381/
URL: (none) => http://lwn.net/Vulnerabilities/690411/
*** Bug 18664 has been marked as a duplicate of this bug. ***
Done for Cauldron and mga5 too with an upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1739564
Packages in 5/core/updates_testing: ======================== pdfbox-1.8.7-1.1.mga5.noarch.rpm pdfbox-examples-1.8.7-1.1.mga5.noarch.rpm pdfbox-javadoc-1.8.7-1.1.mga5.noarch.rpm pdfbox-ant-1.8.7-1.1.mga5.noarch.rpm fontbox-1.8.7-1.1.mga5.noarch.rpm jempbox-1.8.7-1.1.mga5.noarch.rpm preflight-1.8.7-1.1.mga5.noarch.rpm xmpbox-1.8.7-1.1.mga5.noarch.rpm Source RPM: ======================== pdfbox-1.8.7-1.1.mga5.src.rpm
Assignee: neoclust => mageia
Thanks David! Assigning to QA. Package list in Comment 4. Advisory: ======================== Updated pdfbox packages fix security vulnerability: Apache PDFBox before 1.8.12 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF (CVE-2016-2175). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2175 http://www.openwall.com/lists/oss-security/2016/05/27/1 https://www.debian.org/security/2016/dsa-3606
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5Assignee: mageia => qa-bugs
x86_64 Mate Summarizing steps taken so far: There is a testing section at https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OTG-INPVAL-008%29 accessible via the advisory link at http://www.openwall.com/lists/oss-security/2016/05/27/1 but this does not help without any context to go on. It seems to involve user input via web based XML forms so it is not clear how the package can be tested. The snippets at the site quoted look as if they might provide the basis for a PoC if there were some framework within which to run them. Apache is involved so I guess httpd must be started. None of the packages seem to be commands or applications in their own right. They each install to a branch in the /usr/share/java tree as jar files apart from pdfbox-javadoc which goes to /usr/share/javadoc/pdfbox/. Basic PDFBox tutorial at www.printmyfolders.com. Pointing firefox at /usr/share/javadoc/pdfbox/index.html just now.
CC: (none) => tarazed25
(In reply to Len Lawrence from comment #6) > None of the packages seem to be commands or applications in their own right. That's typical of these Java packages. They're mostly unused libraries that are recursive requirements through unused code paths. That's why we just verify that they install and upgrade cleanly.
Thanks David. It did look like a career move, but it is a pity that a PoC could not be developed. It looks simple in principle. Anyway, as far as I can see all the relevant packages install cleanly and can be found in the locations indicated. So, I guess I can OK this.
Whiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0253.html
Status: NEW => RESOLVEDResolution: (none) => FIXED