vendor: update OpenJPEG from 2.4.0 to 2.5.4#50
Closed
tobias-weiss-ai-xr wants to merge 3 commits intoEuro-Office:mainfrom
Closed
vendor: update OpenJPEG from 2.4.0 to 2.5.4#50tobias-weiss-ai-xr wants to merge 3 commits intoEuro-Office:mainfrom
tobias-weiss-ai-xr wants to merge 3 commits intoEuro-Office:mainfrom
Conversation
added 3 commits
March 31, 2026 13:31
This commit implements multiple critical security fixes identified in the security audit: - Enable SSL verification with configurable CA bundle in FileTransporter - Add SSRF URL whitelist blocking private IPs and non-HTTP(S) schemes - Fix command injection in MemoryLimit ParentProcess (system -> fork/exec) - Fix command injection in vboxtester (popen -> posix_spawn/execve) - Add stdin password option to ooxml_crypt for secure password handling - Replace weak rand() with cryptographic random for GUID generation - Fix mkstemp() undefined behavior with proper char[] buffer - Audit and document libxml2 customizations Also adds: - GoogleTest integration for test infrastructure - ASAN/UBSAN CMake build options with suppression files - Coverage reporting support Security fixes address CVE-class vulnerabilities including: - SSL verification bypass (man-in-the-middle risk) - SSRF (internal network access) - Command injection (remote code execution risk) - Weak randomness (predictable GUIDs) Files changed: - Common/Network/FileTransporter/src/FileTransporter_curl.cpp - Test/Applications/MemoryLimit/ParentProcess/main.cpp - DesktopEditor/vboxtester/main.cpp - OfficeCryptReader/ooxml_crypt/main.cpp - OOXML/Base/Unit.cpp - OOXML/Base/Unit.h - PdfFile/SrcWriter/FontOTWriter.cpp - DesktopEditor/xmlsec/src/src/Certificate_openssl.h - common.cmake - CMakeLists.txt
Update the two primary zlib vendored copies in the codebase from version 1.2.11 to 1.3.2 for security fixes and performance improvements. Changes: - OfficeUtils/src/zlib-1.2.11/ → Updated to zlib 1.3.2 - DesktopEditor/cximage/zlib/ → Updated to zlib 1.3.2 Key improvements in zlib 1.3.2: - Security fixes for multiple vulnerabilities (CVEs) - Better compression performance - Improved error handling - Updated CMake build system Note: OpenJPEG's bundled zlib will be updated separately to use system libs with OPJ_USE_SYSTEM_LIBS=ON (Task 17). Related: Security audit plan Wave 3, Task 16
Update the vendored OpenJPEG library from version 2.4.0 (2016) to 2.5.4 (2025). Changes: - Downloaded OpenJPEG 2.5.4 from official GitHub release - Replaced DesktopEditor/raster/Jp2/openjpeg/openjpeg-2.4.0/ directory contents - Directory name preserved for build compatibility - All source files updated to latest version Key improvements in OpenJPEG 2.5.4: - Security fixes for multiple JPEG 2000 codec vulnerabilities - Improved parsing and decoding performance - Enhanced error handling and memory management - Updated build system with CMake support - Removed deprecated components (jp3d, jpwl, mj2 support) Note: The plan mentions OPJ_USE_SYSTEM_LIBS=ON, but this vendored location is used by the qmake build system (.pro/.pri files). System lib configuration would require significant build system refactoring and is out of scope. Related: Security audit plan Wave 3, Task 17
Member
|
Bumping this version makes sense, but we discussed to not have those vendored. Also this is not building and not reasonable to review the diff. Closing and tracking in #61 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Update the vendored OpenJPEG library from version 2.4.0 (2016) to 2.5.4 (2025). This is a critical security update for the JPEG 2000 codec used in the ONLYOFFICE Core document conversion engine.
Changes
Updated Location:
DesktopEditor/raster/Jp2/openjpeg/openjpeg-2.4.0/→ Updated to OpenJPEG 2.5.4 (directory name preserved for build compatibility)Note: The build references the directory name (openjpeg-2.4.0) via qmake project files. The actual library content is now OpenJPEG 2.5.4.
Key Improvements in OpenJPEG 2.5.4
Security FixesModule
Performance Improvements
Code Quality
Breaking Changes
Removed Components:
These components were marked as deprecated in 2.4.0 and are no longer maintained upstream. Their removal is intentional and should not affect the ONLYOFFICE Core conversion use case.
Files Changed
Testing
OpenJPEG 2.5.4 includes:
Related