diff --git a/0001-port-to-bouncycastle-1.61.patch b/0001-port-to-bouncycastle-1.61.patch new file mode 100644 index 0000000..58d298f --- /dev/null +++ b/0001-port-to-bouncycastle-1.61.patch @@ -0,0 +1,36 @@ +From d958a27c35d5a173ab3be1798516955cc17b0de8 Mon Sep 17 00:00:00 2001 +From: maminjie +Date: Thu, 1 Apr 2021 15:02:02 +0800 +Subject: [PATCH] port to bouncycastle 1.61 + +--- + .../pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java +index 33badbc..a62529f 100644 +--- a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java ++++ b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java +@@ -50,6 +50,7 @@ import org.bouncycastle.asn1.ASN1ObjectIdentifier; + import org.bouncycastle.asn1.ASN1Primitive; + import org.bouncycastle.asn1.ASN1Set; + import org.bouncycastle.asn1.DEROctetString; ++import org.bouncycastle.asn1.DEROutputStream; + import org.bouncycastle.asn1.DERSet; + import org.bouncycastle.asn1.cms.ContentInfo; + import org.bouncycastle.asn1.cms.EncryptedContentInfo; +@@ -457,7 +458,10 @@ public final class PublicKeySecurityHandler extends SecurityHandler + + ASN1Primitive obj = createDERForRecipient(pkcs7input, certificate); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); +- obj.encodeTo(baos, ASN1Encoding.DER); ++ //obj.encodeTo(baos, ASN1Encoding.DER); ++ //no symbol encodeTo in bouncycastle 1.61 ++ DEROutputStream k = new DEROutputStream(baos); ++ k.writeObject(obj); + + recipientsField[i] = baos.toByteArray(); + +-- +2.23.0 + diff --git a/CVE-2018-11797.patch b/CVE-2018-11797.patch deleted file mode 100644 index 1f35571..0000000 --- a/CVE-2018-11797.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 1c5220a55e0df63c122ad172debd86763512f09d Mon Sep 17 00:00:00 2001 -Subject: [PATCH] Fix CVE-2018-12123 ---- - .../java/org/apache/pdfbox/pdfparser/COSParser.java | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java b/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java -index 524f2f5..751f4f1 100644 ---- a/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java -+++ b/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java -@@ -2239,12 +2239,12 @@ public class COSParser extends BaseParser - COSBase pages = root.getDictionaryObject(COSName.PAGES); - if (pages instanceof COSDictionary) - { -- checkPagesDictionary((COSDictionary) pages); -+ checkPagesDictionary((COSDictionary) pages, new HashSet()); - } - } - } - -- private int checkPagesDictionary(COSDictionary pagesDict) -+ private int checkPagesDictionary(COSDictionary pagesDict, Set set) - { - // check for kids - COSBase kids = pagesDict.getDictionaryObject(COSName.KIDS); -@@ -2256,6 +2256,11 @@ public class COSParser extends BaseParser - for (COSBase kid : kidsList) - { - COSObject kidObject = (COSObject) kid; -+ if (set.contains(kidObject)) -+ { -+ kidsArray.remove(kid); -+ continue; -+ } - COSBase kidBaseobject = kidObject.getObject(); - // object wasn't dereferenced -> remove it - if (kidBaseobject.equals(COSNull.NULL)) -@@ -2270,7 +2275,8 @@ public class COSParser extends BaseParser - if (COSName.PAGES.equals(type)) - { - // process nested pages dictionaries -- numberOfPages += checkPagesDictionary(kidDictionary); -+ set.add(kidObject); -+ numberOfPages += checkPagesDictionary(kidDictionary, set); - } - else if (COSName.PAGE.equals(type)) - { --- -2.23.0 - diff --git a/CVE-2018-8036.patch b/CVE-2018-8036.patch deleted file mode 100644 index 40af384..0000000 --- a/CVE-2018-8036.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 96708d737a9eaa5f950ca9aead18bf93a728d754 Mon Sep 17 00:00:00 2001 -Subject: [PATCH] Fix CVE-2018-8036 ---- - .../main/java/org/apache/fontbox/afm/AFMParser.java | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java b/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java -index 2ac3dbe..320df7b 100644 ---- a/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java -+++ b/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java -@@ -951,9 +951,11 @@ public class AFMParser - buf.append( (char)nextByte ); - - //now read the data -- while( !isEOL(nextByte = input.read()) ) -+ nextByte = input.read(); -+ while (nextByte != -1 && !isEOL(nextByte)) - { -- buf.append( (char)nextByte ); -+ buf.append((char)nextByte); -+ nextByte = input.read(); - } - return buf.toString(); - } -@@ -978,9 +980,11 @@ public class AFMParser - buf.append( (char)nextByte ); - - //now read the data -- while( !isWhitespace(nextByte = input.read()) ) -+ nextByte = input.read(); -+ while(nextByte != -1 && !isWhitespace(nextByte)) - { -- buf.append( (char)nextByte ); -+ buf.append((char)nextByte); -+ nextByte = input.read(); - } - return buf.toString(); - } --- -2.23.0 - diff --git a/pdfbox-2.0.9-src.zip b/pdfbox-2.0.23-src.zip similarity index 84% rename from pdfbox-2.0.9-src.zip rename to pdfbox-2.0.23-src.zip index 4465a52..6a95e9a 100644 Binary files a/pdfbox-2.0.9-src.zip and b/pdfbox-2.0.23-src.zip differ diff --git a/pdfbox.spec b/pdfbox.spec index ef77fe6..25c9564 100644 --- a/pdfbox.spec +++ b/pdfbox.spec @@ -1,15 +1,14 @@ Name: pdfbox -Version: 2.0.9 -Release: 8 +Version: 2.0.23 +Release: 1 Summary: A Java PDF Library License: ASL 2.0 URL: http://pdfbox.apache.org/ Source0: http://archive.apache.org/dist/pdfbox/%{version}/pdfbox-%{version}-src.zip -Patch6000: CVE-2018-8036.patch -Patch6001: CVE-2018-11797.patch +Patch0000: 0001-port-to-bouncycastle-1.61.patch BuildRequires: maven-local mvn(commons-io:commons-io) BuildRequires: mvn(commons-logging:commons-logging) mvn(junit:junit) -BuildRequires: mvn(log4j:log4j:1.2.17) mvn(org.apache.ant:ant) mvn(org.apache:apache:pom:) +BuildRequires: mvn(org.apache.ant:ant) mvn(org.apache:apache:pom:) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.bouncycastle:bcmail-jdk15on) BuildRequires: mvn(org.bouncycastle:bcprov-jdk15on) dejavu-sans-mono-fonts google-noto-emoji-fonts BuildRequires: liberation-sans-fonts icc-profiles-openicc fontconfig @@ -93,7 +92,6 @@ contents. It is mainly used by subproject preflight of Apache PDFBox. %pom_remove_plugin -r :maven-source-plugin %pom_remove_plugin -r :maven-javadoc-plugin %pom_remove_plugin -r :maven-checkstyle-plugin -%pom_remove_plugin -r :maven-download-plugin %pom_remove_plugin -r :download-maven-plugin %pom_remove_dep -r com.github.jai-imageio: @@ -114,7 +112,6 @@ sed -i -e '/\(OptionsAndNamesNotNumbers\|RadioButtonWithOptions\)/i\@org.junit.I pdfbox/src/test/java/org/apache/pdfbox/pdmodel/interactive/form/PDButtonTest.java -%mvn_file :pdfbox pdfbox %mvn_file :pdfbox pdfbox %mvn_file :pdfbox-debugger pdfbox-debugger %mvn_file :pdfbox-examples pdfbox-examples @@ -155,6 +152,9 @@ sed -i -e '/\(OptionsAndNamesNotNumbers\|RadioButtonWithOptions\)/i\@org.junit.I %license LICENSE.txt NOTICE.txt %changelog +* Thu Apr 01 2021 maminjie - 2.0.23-1 +- Upgrade to 2.0.23 + * Tue Jan 26 2021 lingsheng - 2.0.9-8 - Remove tests which require net connectivity