Upgrade to 2.0.23

0001-port-to-bouncycastle-1.61.patch

@@ -0,0 +1,36 @@
+From d958a27c35d5a173ab3be1798516955cc17b0de8 Mon Sep 17 00:00:00 2001
+From: maminjie <maminjie1@huawei.com>
+Date: Thu, 1 Apr 2021 15:02:02 +0800
+Subject: [PATCH] port to bouncycastle 1.61
+
+---
+ .../pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java
+index 33badbc..a62529f 100644
+--- a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java
+@@ -50,6 +50,7 @@ import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+ import org.bouncycastle.asn1.ASN1Primitive;
+ import org.bouncycastle.asn1.ASN1Set;
+ import org.bouncycastle.asn1.DEROctetString;
++import org.bouncycastle.asn1.DEROutputStream;
+ import org.bouncycastle.asn1.DERSet;
+ import org.bouncycastle.asn1.cms.ContentInfo;
+ import org.bouncycastle.asn1.cms.EncryptedContentInfo;
+@@ -457,7 +458,10 @@ public final class PublicKeySecurityHandler extends SecurityHandler
+ 
+             ASN1Primitive obj = createDERForRecipient(pkcs7input, certificate);
+             ByteArrayOutputStream baos = new ByteArrayOutputStream();
+-            obj.encodeTo(baos, ASN1Encoding.DER);
++            //obj.encodeTo(baos, ASN1Encoding.DER);
++            //no symbol encodeTo in bouncycastle 1.61
++            DEROutputStream k = new DEROutputStream(baos);
++            k.writeObject(obj);
+ 
+             recipientsField[i] = baos.toByteArray();
+ 
+-- 
+2.23.0
+

CVE-2018-11797.patch

@@ -1,50 +0,0 @@
-From 1c5220a55e0df63c122ad172debd86763512f09d Mon Sep 17 00:00:00 2001
-Subject: [PATCH] Fix CVE-2018-12123
----
- .../java/org/apache/pdfbox/pdfparser/COSParser.java  | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java b/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java
-index 524f2f5..751f4f1 100644
---- a/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java
-+++ b/pdfbox/src/main/java/org/apache/pdfbox/pdfparser/COSParser.java
-@@ -2239,12 +2239,12 @@ public class COSParser extends BaseParser
-             COSBase pages = root.getDictionaryObject(COSName.PAGES);
-             if (pages instanceof COSDictionary)
-             {
--                checkPagesDictionary((COSDictionary) pages);
-+                checkPagesDictionary((COSDictionary) pages, new HashSet<COSObject>());
-             }
-         }
-     }
- 
--    private int checkPagesDictionary(COSDictionary pagesDict)
-+    private int checkPagesDictionary(COSDictionary pagesDict, Set<COSObject> set)
-     {
-         // check for kids
-         COSBase kids = pagesDict.getDictionaryObject(COSName.KIDS);
-@@ -2256,6 +2256,11 @@ public class COSParser extends BaseParser
-             for (COSBase kid : kidsList)
-             {
-                 COSObject kidObject = (COSObject) kid;
-+                if (set.contains(kidObject))
-+                {
-+                    kidsArray.remove(kid);
-+                    continue;
-+                }
-                 COSBase kidBaseobject = kidObject.getObject();
-                 // object wasn't dereferenced -> remove it
-                 if (kidBaseobject.equals(COSNull.NULL))
-@@ -2270,7 +2275,8 @@ public class COSParser extends BaseParser
-                     if (COSName.PAGES.equals(type))
-                     {
-                         // process nested pages dictionaries
--                        numberOfPages += checkPagesDictionary(kidDictionary);
-+                        set.add(kidObject);
-+                        numberOfPages += checkPagesDictionary(kidDictionary, set);
-                     }
-                     else if (COSName.PAGE.equals(type))
-                     {
--- 
-2.23.0
-

CVE-2018-8036.patch

@@ -1,41 +0,0 @@
-From 96708d737a9eaa5f950ca9aead18bf93a728d754 Mon Sep 17 00:00:00 2001
-Subject: [PATCH] Fix CVE-2018-8036
----
- .../main/java/org/apache/fontbox/afm/AFMParser.java  | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java b/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java
-index 2ac3dbe..320df7b 100644
---- a/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java
-+++ b/fontbox/src/main/java/org/apache/fontbox/afm/AFMParser.java
-@@ -951,9 +951,11 @@ public class AFMParser
-         buf.append( (char)nextByte );
- 
-         //now read the data
--        while( !isEOL(nextByte = input.read()) )
-+        nextByte = input.read();
-+        while (nextByte != -1 && !isEOL(nextByte))
-         {
--            buf.append( (char)nextByte );
-+            buf.append((char)nextByte);
-+            nextByte = input.read();
-         }
-         return buf.toString();
-     }
-@@ -978,9 +980,11 @@ public class AFMParser
-         buf.append( (char)nextByte );
- 
-         //now read the data
--        while( !isWhitespace(nextByte = input.read()) )
-+        nextByte = input.read();
-+        while(nextByte != -1 && !isWhitespace(nextByte))
-         {
--            buf.append( (char)nextByte );
-+            buf.append((char)nextByte);
-+            nextByte = input.read();
-         }
-         return buf.toString();
-     }
--- 
-2.23.0
-

pdfbox.spec

@@ -1,15 +1,14 @@
 Name:          pdfbox
-Version:       2.0.9
+Version:       2.0.23
-Release:       8
+Release:       1
 Summary:       A Java PDF Library
 License:       ASL 2.0
 URL:           http://pdfbox.apache.org/
 Source0:       http://archive.apache.org/dist/pdfbox/%{version}/pdfbox-%{version}-src.zip
-Patch6000:     CVE-2018-8036.patch
+Patch0000:     0001-port-to-bouncycastle-1.61.patch
-Patch6001:     CVE-2018-11797.patch
 BuildRequires: maven-local mvn(commons-io:commons-io)
 BuildRequires: mvn(commons-logging:commons-logging) mvn(junit:junit)
-BuildRequires: mvn(log4j:log4j:1.2.17) mvn(org.apache.ant:ant) mvn(org.apache:apache:pom:)
+BuildRequires: mvn(org.apache.ant:ant) mvn(org.apache:apache:pom:)
 BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) mvn(org.bouncycastle:bcmail-jdk15on)
 BuildRequires: mvn(org.bouncycastle:bcprov-jdk15on) dejavu-sans-mono-fonts google-noto-emoji-fonts
 BuildRequires: liberation-sans-fonts icc-profiles-openicc fontconfig
@@ -93,7 +92,6 @@ contents.  It is mainly used by subproject preflight of Apache PDFBox.
 %pom_remove_plugin -r :maven-source-plugin
 %pom_remove_plugin -r :maven-javadoc-plugin
 %pom_remove_plugin -r :maven-checkstyle-plugin
-%pom_remove_plugin -r :maven-download-plugin
 %pom_remove_plugin -r :download-maven-plugin
 
 %pom_remove_dep -r com.github.jai-imageio:
@@ -114,7 +112,6 @@ sed -i -e '/\(OptionsAndNamesNotNumbers\|RadioButtonWithOptions\)/i\@org.junit.I
    pdfbox/src/test/java/org/apache/pdfbox/pdmodel/interactive/form/PDButtonTest.java
 
 
-%mvn_file :pdfbox pdfbox
 %mvn_file :pdfbox pdfbox
 %mvn_file :pdfbox-debugger pdfbox-debugger
 %mvn_file :pdfbox-examples pdfbox-examples
@@ -155,6 +152,9 @@ sed -i -e '/\(OptionsAndNamesNotNumbers\|RadioButtonWithOptions\)/i\@org.junit.I
 %license LICENSE.txt NOTICE.txt
 
 %changelog
+* Thu Apr 01 2021 maminjie <maminjie1@huawei.com> - 2.0.23-1
+- Upgrade to 2.0.23
+
 * Tue Jan 26 2021 lingsheng <lingsheng@huawei.com> - 2.0.9-8
 - Remove tests which require net connectivity