patched openjpeg in pdfium
68 views
Skip to first unread message
Vincent Torri
Nov 27, 2018, 3:23:44 PM11/27/18
to OpenJPEG
hello
while browsing pdfium source, i've found this :
especially https://pdfium.googlesource.com/pdfium/+/master/third_party/libopenjpeg20/README.pdfium where it is mentioned that there are critical security issues.
i don't know if all the patches are good or not, if some of them are merged upstream. But if they are really fixing critical security issues, they should be taken into consideration
regards
Vincent Torri
Mario Emmenlauer
Jul 5, 2019, 8:53:32 AM7/5/19
to open...@googlegroups.com, Vincent Torri
Dear Vincent and all,
I must have missed the discussion of your email below. Was there
an outcome? I've seen that pdfium still maintains a long list of
patches against 2.3.1 release. So maybe not everything has found
its way into OpenJPEG?
At least a number of their current patches sound as if they may be
relevant for security and/or stability. Does anyone know if these
patches are considered for upstream integration? If not, is there
something that must be done, like making a PR or getting an official
ok from pdfium developers?
Mario Emmenlauer
Even Rouault
Jul 5, 2019, 9:25:25 AM7/5/19
to open...@googlegroups.com, Mario Emmenlauer, Vincent Torri
On vendredi 5 juillet 2019 14:53:24 CEST Mario Emmenlauer wrote:
> Dear Vincent and all,
>
> I must have missed the discussion of your email below. Was there
> an outcome? I've seen that pdfium still maintains a long list of
> patches against 2.3.1 release. So maybe not everything has found
> its way into OpenJPEG?
>
> At least a number of their current patches sound as if they may be
> relevant for security and/or stability. Does anyone know if these
> patches are considered for upstream integration? If not, is there
> something that must be done, like making a PR or getting an official
> ok from pdfium developers?
I'd expect the pdfium developers to behave as good open source citizens and
> Dear Vincent and all,
>
> I must have missed the discussion of your email below. Was there
> an outcome? I've seen that pdfium still maintains a long list of
> patches against 2.3.1 release. So maybe not everything has found
> its way into OpenJPEG?
>
> At least a number of their current patches sound as if they may be
> relevant for security and/or stability. Does anyone know if these
> patches are considered for upstream integration? If not, is there
> something that must be done, like making a PR or getting an official
> ok from pdfium developers?
issue PR against openjpeg when their patches are relevant from upstream
inclusion...
--
Spatialys - Geospatial professional services
http://www.spatialys.com
Lei Zhang
Jul 9, 2019, 7:20:31 AM7/9/19
to OpenJPEG
On Friday, July 5, 2019 at 6:25:25 AM UTC-7, Even Rouault wrote:
I'd expect the pdfium developers to behave as good open source citizens and
issue PR against openjpeg when their patches are relevant from upstream
inclusion...
I'll take a look at the stash of OpenJPEG patches in PDFium and see which ones are applicable for upstreaming. If anyone has opinions on which patches should / should not be upstreamed, please let me know.
Mario Emmenlauer
Jul 11, 2019, 5:22:52 AM7/11/19
to OpenJPEG
Thanks a lot Lei, its appreciated! Personally I'd start with more security-related issues or crashes, and then go down the severity list.
Reply all
Reply to author
Forward
0 new messages