Zotero uses Xpdf 3.02 whilst Xpdf 3.03 fixes numerous security issues
245 views
Skip to first unread message
Pete Boyd
Jan 14, 2014, 10:39:24 AM1/14/14
to zoter...@googlegroups.com
Hi. Zotero's custom version of Xpdf (pdfinfo-Win32.exe and pdftotext-Win32) [1] is version 3.02. Xpdf 3.03 (from 15 August 2011) fixed these security issues:
- Commented out the t1lib section in the configure script -- t1lib has some potential security holes, and hasn't been updated in years.
- Fixed a buffer overflow security hole in StreamPredictor.
- Rewrote the CCITTFax decoder inner loop - this fixes a security hole.
- Fixed two security holes (missing bounds checks) in the DCT decoder.
- Fixed a security hole: Gfx.parser was not being initialized to NULL.
- Fixed a security hole: integer bounds check in the Type 1 encoding parser in FoFiType1.cc.
Should you upgrade to Xpdf 3.03?
[1]
https://github.com/hdl645/zotero
http://www.zotero.org/download/xpdf/pdfinfo-Win32.exe-3.02
http://www.zotero.org/download/xpdf/pdftotext-Win32.exe-3.02
- Commented out the t1lib section in the configure script -- t1lib has some potential security holes, and hasn't been updated in years.
- Fixed a buffer overflow security hole in StreamPredictor.
- Rewrote the CCITTFax decoder inner loop - this fixes a security hole.
- Fixed two security holes (missing bounds checks) in the DCT decoder.
- Fixed a security hole: Gfx.parser was not being initialized to NULL.
- Fixed a security hole: integer bounds check in the Type 1 encoding parser in FoFiType1.cc.
Should you upgrade to Xpdf 3.03?
[1]
https://github.com/hdl645/zotero
http://www.zotero.org/download/xpdf/pdfinfo-Win32.exe-3.02
http://www.zotero.org/download/xpdf/pdftotext-Win32.exe-3.02
Rick Karnesky
Jan 15, 2014, 11:30:11 AM1/15/14
to zoter...@googlegroups.com
It isn't a bad idea. The text extractor has had a number of improvements that might improve indexing (particularly for word ordering & non-LTR texts). While some of the listed vulnerable functions don't get exercised by pdftotext or pdfinfo, others seem to.
It might also be worth considering poppler again. On one of my dev machines, I had been using the poppler versions of the utilities & they're close to being drop-in replacements...that have better upstream maintenance.
--Rick
It might also be worth considering poppler again. On one of my dev machines, I had been using the poppler versions of the utilities & they're close to being drop-in replacements...that have better upstream maintenance.
--Rick
Pete Boyd
Jan 24, 2014, 5:10:50 AM1/24/14
to zoter...@googlegroups.com
LibreOffice has moved from Xpdf to Poppler for their next major release, 4.2.0 (https://bugs.freedesktop.org/show_bug.cgi?id=38878).
Reply all
Reply to author
Forward
0 new messages