OpenJpeg security vulnerabilities and PDFium
82 views
Skip to first unread message
Denis Legashov
Sep 20, 2018, 5:20:16 AM9/20/18
to pdfium
Hello,
According to OpenJpeg GitHub repository it has couple of bugs (#1059 and #1053) that are security vulnerabilities CVE-2018-6616 and CVE-2018-5727. I found out that OpenJpeg used by PDFium has multiple patches in its sources made by your dev team. Does this mean, that OpenJpeg patched by PDFium team is not affected to these vulnerabilities?
Thanks,
Denis.
Dan Sinclair
Sep 20, 2018, 8:59:38 AM9/20/18
to Denis Legashov, pdfium, n...@chromium.org
Nicolas did a lot of the openjpeg patching so would be in the best position to know if those specific issues are patched already.
dan
--
You received this message because you are subscribed to the Google Groups "pdfium" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pdfium+un...@googlegroups.com.
To post to this group, send email to pdf...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pdfium/f971ad38-abe9-47db-aa29-39e2447d3fc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nicolás Peña
Sep 20, 2018, 5:11:23 PM9/20/18
to Dan Sinclair, denis.l...@gmail.com, pdf...@googlegroups.com, n...@chromium.org
If they were only reported to OpenJpeg Github repository (without being fixed) but not reported as a Chromium bug nor found by our own fuzzing then it's very unlikely that they have been fixed.
Denis Legashov
Oct 8, 2018, 10:58:12 AM10/8/18
to pdfium
And how this can be verified? What should I do? Should I file a bug or do something else?
Thank you for your assistance
пятница, 21 сентября 2018 г., 0:11:23 UTC+3 пользователь Nicolás Peña написал:
пятница, 21 сентября 2018 г., 0:11:23 UTC+3 пользователь Nicolás Peña написал:
Nicolás Peña
Oct 9, 2018, 11:33:46 AM10/9/18
to Denis Legashov, pdf...@googlegroups.com
You can verify by a) creating a PDF with an image containing the testcase and running the testcase against the appropriate PDFium build or b) running the testcase against chromium's pdf_jpx_fuzzer (requires pulling Chromium, which is big).
You can ping a frequent contributor rouault@ to get it fixed in the Github repository (best way to fix), or submit a pull request to the repository to get it fixed, or file a bug at crbug.com to get it fixed in Chromium's copy if you believe it's a security issue that needs to be fixed asap.
To view this discussion on the web visit https://groups.google.com/d/msgid/pdfium/4975ea61-fbd9-4f8d-936d-c22a8b3132be%40googlegroups.com.
Denis Legashov
May 27, 2019, 9:30:57 AM5/27/19
to pdfium
Hi,
It looks that OpenJpeg has fixed both vulnerabilities and released a new version OpenJpeg 2.3.1. Do you plan to upgrade this library to the newest version?
Best Regards,
Denis.
вторник, 9 октября 2018 г., 18:33:46 UTC+3 пользователь Nicolás Peña написал:
вторник, 9 октября 2018 г., 18:33:46 UTC+3 пользователь Nicolás Peña написал:
You can verify by a) creating a PDF with an image containing the testcase and running the testcase against the appropriate PDFium build or b) running the testcase against chromium's pdf_jpx_fuzzer (requires pulling Chromium, which is big).You can ping a frequent contributor rouault@ to get it fixed in the Github repository (best way to fix), or submit a pull request to the repository to get it fixed, or file a bug at crbug.com to get it fixed in Chromium's copy if you believe it's a security issue that needs to be fixed asap.
On Mon, Oct 8, 2018 at 10:58 AM Denis Legashov <denis....@gmail.com> wrote:
And how this can be verified? What should I do? Should I file a bug or do something else?--Thank you for your assistance
пятница, 21 сентября 2018 г., 0:11:23 UTC+3 пользователь Nicolás Peña написал:If they were only reported to OpenJpeg Github repository (without being fixed) but not reported as a Chromium bug nor found by our own fuzzing then it's very unlikely that they have been fixed.On Thu, Sep 20, 2018 at 8:59 AM Dan Sinclair <dsin...@chromium.org> wrote:Nicolas did a lot of the openjpeg patching so would be in the best position to know if those specific issues are patched already.danOn Thu, Sep 20, 2018 at 5:24 AM Denis Legashov <denis.l...@gmail.com> wrote:Hello,--According to OpenJpeg GitHub repository it has couple of bugs (#1059 and #1053) that are security vulnerabilities CVE-2018-6616 and CVE-2018-5727. I found out that OpenJpeg used by PDFium has multiple patches in its sources made by your dev team. Does this mean, that OpenJpeg patched by PDFium team is not affected to these vulnerabilities?Thanks,Denis.
You received this message because you are subscribed to the Google Groups "pdfium" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pdfium+un...@googlegroups.com.
To post to this group, send email to pdf...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pdfium/f971ad38-abe9-47db-aa29-39e2447d3fc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "pdfium" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pdf...@googlegroups.com.
Lei Zhang
May 28, 2019, 7:53:32 PM5/28/19
to Denis Legashov, pdfium
Thanks for keeping an eye on this. I've filed
https://bugs.chromium.org/p/pdfium/issues/detail?id=1309
> To view this discussion on the web visit https://groups.google.com/d/msgid/pdfium/85c5be9a-95b0-4b1c-af8d-a36a75674268%40googlegroups.com.
https://bugs.chromium.org/p/pdfium/issues/detail?id=1309
Denis Legashov
May 29, 2019, 5:56:11 AM5/29/19
to pdfium
Great news, thank you!
среда, 29 мая 2019 г., 2:53:32 UTC+3 пользователь Lei Zhang написал:
среда, 29 мая 2019 г., 2:53:32 UTC+3 пользователь Lei Zhang написал:
Thanks for keeping an eye on this. I've filed
https://bugs.chromium.org/p/pdfium/issues/detail?id=1309
Reply all
Reply to author
Forward
0 new messages