CVE-2021-37819

Name	CVE-2021-37819
Description	PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite loop via the component /text/pdf/PdfReader.java.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	ELA-684-1
Debian Bugs	1059318, 1059319, 1059320

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libitext-java (PTS)	jessie	2.1.7-9	vulnerable
	stretch	2.1.7-11	vulnerable
	buster, bullseye	2.1.7-12	vulnerable
	bookworm	2.1.7-14	vulnerable
	sid, trixie	2.1.7-16	fixed
libitext1-java (PTS)	jessie, stretch	1.4-6	vulnerable
	sid, trixie, buster, bullseye, bookworm	1.4-7	vulnerable
libitext5-java (PTS)	jessie	5.5.3-2	vulnerable
	stretch	5.5.6-2	vulnerable
	buster (security), buster, buster (lts)	5.5.13-1+deb10u1	vulnerable
	bullseye (security), bullseye	5.5.13.2-1+deb11u1	vulnerable
	bookworm	5.5.13.3-2	vulnerable
	sid, trixie	5.5.13.3-4	fixed
pdftk (PTS)	jessie, jessie (lts)	2.02-2+deb8u1	fixed
	stretch (lts), stretch	2.02-4+deb9u1	fixed
	buster, bullseye, bookworm	2.02-5	fixed
pdftk-java (PTS)	buster	3.0.2-2	vulnerable
	bullseye	3.2.2-1	vulnerable
	bookworm	3.3.2-1	fixed
	sid, trixie	3.3.3-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libitext-java	source	(unstable)	2.1.7-16			1059318
libitext1-java	source	(unstable)	(unfixed)			1059319
libitext5-java	source	jessie	(unfixed)	end-of-life
libitext5-java	source	stretch	(unfixed)	end-of-life
libitext5-java	source	(unstable)	5.5.13.3-4			1059320
pdftk	source	jessie	2.02-2+deb8u1		ELA-684-1
pdftk	source	stretch	2.02-4+deb9u1		ELA-684-1
pdftk	source	(unstable)	2.02-5
pdftk-java	source	(unstable)	3.3.2-1

Notes

[bullseye] - pdftk-java <no-dsa> (Minor issue)
[buster] - pdftk-java <no-dsa> (Minor issue)
[bookworm] - libitext-java <ignored> (Minor issue)
[bullseye] - libitext-java <no-dsa> (Minor issue)
[buster] - libitext-java <no-dsa> (Minor issue)
[bookworm] - libitext1-java <ignored> (Minor issue)
[bullseye] - libitext1-java <no-dsa> (Minor issue)
[buster] - libitext1-java <no-dsa> (Minor issue)
[bookworm] - libitext5-java <ignored> (Minor issue)
[bullseye] - libitext5-java <no-dsa> (Minor issue)
[buster] - libitext5-java <no-dsa> (Minor issue)
https://gitlab.com/pdftk-java/pdftk/-/merge_requests/21
https://gitlab.com/pdftk-java/pdftk/-/commit/75deacdf5c46fd4eefb310c784eb9dfdc7b9fdc9 (v3.3.0)
https://gitlab.com/pdftk-java/pdftk/-/commit/9b0cbb76c8434a8505f02ada02a94263dcae9247 (v3.3.0)
Starting with 2.02-5 src:pdftk is just a transition package towards src:pdftk-java
[stretch] - libitext-java <ignored> (Minor issue)
[jessie] - libitext-java <ignored> (Minor issue)
[stretch] - libitext1-java <ignored> (Minor issue)
[jessie] - libitext1-java <ignored> (Minor issue)