CVE-2018-8036

Name	CVE-2018-8036
Description	In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	902776

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libpdfbox-java (PTS)	bookworm, sid, buster, bullseye	1:1.8.16-2	fixed
libpdfbox2-java (PTS)	buster	2.0.13-2	fixed
	bullseye	2.0.23-1	fixed
	bookworm, sid	2.0.27-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libpdfbox-java	source	(unstable)	1:1.8.15-1	low		902776
libpdfbox2-java	source	(unstable)	2.0.11-1	low

Notes

[stretch] - libpdfbox-java <no-dsa> (Minor issue)
[jessie] - libpdfbox-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2018/06/29/2