Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenJPEG Security Issue #629

Closed
kysko opened this Issue Oct 5, 2016 · 12 comments

Comments

Projects
None yet
6 participants
@kysko
Copy link

commented Oct 5, 2016

Just to inform developer, in case he's busy:

exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library (...) used by many popular PDF renderers. Most notably Poppler, MuPDF and Pdfium

CVE-2016-8332

@piklet

This comment has been minimized.

Copy link

commented Oct 11, 2016

Codec update link to assist developer:

The OpenJPEG codec version 2.1.2 was released 28th September 2016 and patches the security hole.
http://www.openjpeg.org/2016/09/28/OpenJPEG-2.1.2-released

General info article at: http://thehackernews.com/2016/10/openjpeg-exploit-hack.html

@beerisgood

This comment has been minimized.

Copy link

commented Oct 14, 2016

Please fix that security issue.

@tnla

This comment has been minimized.

Copy link

commented Oct 21, 2016

Hmm, seems like the developer doesn't care about fixing this serious security issue. Are there any PDF readers that have fixed this issue and are worth switching to?

Thanks..

@beerisgood

This comment has been minimized.

Copy link

commented Oct 21, 2016

MuPDF.
The dev fix that, but the release doesn't have that included yet, only the git build.
http://bugs.ghostscript.com/show_bug.cgi?id=697230
MuPDF: http://mupdf.com

@beerisgood

This comment has been minimized.

Copy link

commented Nov 4, 2016

push

The thread is now 2 month open and still no fix.

@kysko

This comment has been minimized.

Copy link
Author

commented Nov 5, 2016

Hmmm.... no, one month.
In any case, use other/more secure reader.

@SumatraPeter

This comment has been minimized.

Copy link

commented Nov 12, 2016

Well, one can always build from source using latest fixed mupdf. Other than that one option for end users might have been to use a recent pre-release build, but unfortunately it looks like the last one dates back to 2016-08-14. I suppose unless a new pre-release build is uploaded one can only wait for the next stable build or use something else meanwhile if you're very concerned about the issue.

@beerisgood

This comment has been minimized.

Copy link

commented Nov 13, 2016

A pre-release with the security fix would be enough until the final build is finish.
I wonder why the dev need so long to fix the problem.

@SumatraPeter

This comment has been minimized.

Copy link

commented Nov 14, 2016

I wonder why the dev need so long to fix the problem.

Come on, it's fantastic, free and open source and the dev must have a day job to pay the bills and real life issues too. While users who can't compile it themselves would certainly appreciate an updated pre-release build at least, let's not try and act in an entitled and/or petty manner.

@kjk @zeniko Would it be possible to update http://www.sumatrapdfreader.org/prerelease.html with a new build? Thank you.

@beerisgood

This comment has been minimized.

Copy link

commented Jan 13, 2017

push

@tnla

This comment has been minimized.

Copy link

commented Feb 23, 2017

Hello, is the vulnerability fixed in the latest build (2016-11-26) at https://www.sumatrapdfreader.org/prerelease.html?

@SumatraPeter @kjk

@kjk kjk closed this in 1655fc4 Apr 19, 2017

@kjk

This comment has been minimized.

Copy link
Member

commented Apr 19, 2017

Latest pre-release has been updated with this change: https://www.sumatrapdfreader.org/prerelease.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.