Malware in test PDF

[Stephen DiVerdi]

Hi, I'm not a pdfium user but I'm trying to build Chromium, which includes pdfium in third_party.  I'm having a problem now though because when I sync chromium and specifically the pdfium dir, I'm getting a warning from Carbon Black (corporate antivirus) of CVE-2018-4993, basically an Acrobat vulnerability, because of testing/resources/get_page_aaction.pdf .  I'm working with my IT dept to see about how I can move forward with building the repo, but meanwhile: is this intentional?  Or is this a mistake?  Probably not a good thing to have malware in the repo?  Unless it's a test of a malicious payload?  I'm just trying to understand what the situation is, if this is a false positive or an actual threat or what.  Thanks, -steve

[K. Moon]

You can read all the source for the test and the associated PDF:

https://source.chromium.org/chromium/chromium/src/+/master:third_party/pdfium/fpdfsdk/fpdf_doc_embeddertest.cpp;l=675;drc=16760b5c30ded37f12e571a58a4147d6427aa3a5

I assume what your scanner is getting tripped up on is an action that tries to execute a program from a UNC mount. There's nothing malicious about the test or the PDF, but nothing in the test actually seems to depend on using a UNC path, either. In general, though, this just sounds like an overzealous scanner.

On Thu, Jan 28, 2021 at 12:06 PM Stephen DiVerdi <stephen.di...@gmail.com> wrote:

Hi, I'm not a pdfium user but I'm trying to build Chromium, which includes pdfium in third_party.  I'm having a problem now though because when I sync chromium and specifically the pdfium dir, I'm getting a warning from Carbon Black (corporate antivirus) of CVE-2018-4993, basically an Acrobat vulnerability, because of testing/resources/get_page_aaction.pdf .  I'm working with my IT dept to see about how I can move forward with building the repo, but meanwhile: is this intentional?  Or is this a mistake?  Probably not a good thing to have malware in the repo?  Unless it's a test of a malicious payload?  I'm just trying to understand what the situation is, if this is a false positive or an actual threat or what.  Thanks, -steve

--
You received this message because you are subscribed to the Google Groups "pdfium" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pdfium+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pdfium/fb2cce28-145a-44c6-8123-b93ed9eaa9abn%40googlegroups.com.

[Stephen DiVerdi]

I agree with your assessment.  FYI it does seem like a number of AV packages flag this file as malicious: https://www.virustotal.com/gui/file/3f9622b5648eb79998bb7dfeddc61997c852d9725c6988059e826134f30dea7e/detection

If it’s orthogonal to the test’s purpose, it might be worth changing it to not trip the AV?   -s

[K. Moon]

I think that's a reasonable thing to do, but there's a bit of a whac-a-mole problem with guessing which new string a scanner won't complain about. If you'd like to file a bug report at https://crbug.com/pdfium/new, hopefully someone will get to it eventually, or if you're willing to contribute a fix yourself, there are instructions at https://pdfium.googlesource.com/pdfium/+/refs/heads/master/CONTRIBUTING.md.