I would like to point out that its not really a bug in mod_security. Its doing exactly what its designed to do.
The issue arises from an attached file (does not have to be a pdf) having a particular sequence of characters, in this case:
chr(13)+chr(10)+- -Followed by any ascii character. This is the exact pattern that an http post request uses to break up attachments.
Having looked at a few offending PDF files on this case, it appears that the app that is creating these files is not properly encoding that data as simply opening the file in Acrobat Pro or PDFPenPro and saving a new file solves the issue.