Sumatrapdf: OpenJPEG Security Issue

Created on 5 Oct 2016  路  12Comments  路  Source: sumatrapdfreader/sumatrapdf

Just to inform developer, in case he's busy:

exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library (...) used by many popular PDF renderers. Most notably Poppler, MuPDF and Pdfium

CVE-2016-8332

Most helpful comment

Latest pre-release has been updated with this change: https://www.sumatrapdfreader.org/prerelease.html

All 12 comments

Codec update link to assist developer:

The OpenJPEG codec version 2.1.2 was released 28th September 2016 and patches the security hole.
http://www.openjpeg.org/2016/09/28/OpenJPEG-2.1.2-released

General info article at: http://thehackernews.com/2016/10/openjpeg-exploit-hack.html

Please fix that security issue.

Hmm, seems like the developer doesn't care about fixing this serious security issue. Are there any PDF readers that have fixed this issue and are worth switching to?

Thanks..

MuPDF.
The dev fix that, but the release doesn't have that included yet, only the git build.
http://bugs.ghostscript.com/show_bug.cgi?id=697230
MuPDF: http://mupdf.com

_push_

The thread is now 2 month open and still no fix.

Hmmm.... no, one month.
In any case, use other/more secure reader.

Well, one can always build from source using latest fixed mupdf. Other than that one option for end users might have been to use a recent pre-release build, but unfortunately it looks like the last one dates back to 2016-08-14. I suppose unless a new pre-release build is uploaded one can only wait for the next stable build or use something else meanwhile if you're very concerned about the issue.

A pre-release with the security fix would be enough until the final build is finish.
I wonder why the dev need so long to fix the problem.

I wonder why the dev need so long to fix the problem.

Come on, it's fantastic, free and open source and the dev must have a day job to pay the bills and real life issues too. While users who can't compile it themselves would certainly appreciate an updated pre-release build at least, let's not try and act in an entitled and/or petty manner.

@kjk @zeniko Would it be possible to update http://www.sumatrapdfreader.org/prerelease.html with a new build? Thank you.

push

Hello, is the vulnerability fixed in the latest build (2016-11-26) at https://www.sumatrapdfreader.org/prerelease.html?

@SumatraPeter @kjk

Latest pre-release has been updated with this change: https://www.sumatrapdfreader.org/prerelease.html

Was this page helpful?
0 / 5 - 0 ratings