Just to inform developer, in case he's busy:
exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library (...) used by many popular PDF renderers. Most notably Poppler, MuPDF and Pdfium
Codec update link to assist developer:
The OpenJPEG codec version 2.1.2 was released 28th September 2016 and patches the security hole.
http://www.openjpeg.org/2016/09/28/OpenJPEG-2.1.2-released
General info article at: http://thehackernews.com/2016/10/openjpeg-exploit-hack.html
Please fix that security issue.
Hmm, seems like the developer doesn't care about fixing this serious security issue. Are there any PDF readers that have fixed this issue and are worth switching to?
Thanks..
MuPDF.
The dev fix that, but the release doesn't have that included yet, only the git build.
http://bugs.ghostscript.com/show_bug.cgi?id=697230
MuPDF: http://mupdf.com
_push_
The thread is now 2 month open and still no fix.
Hmmm.... no, one month.
In any case, use other/more secure reader.
Well, one can always build from source using latest fixed mupdf. Other than that one option for end users might have been to use a recent pre-release build, but unfortunately it looks like the last one dates back to 2016-08-14. I suppose unless a new pre-release build is uploaded one can only wait for the next stable build or use something else meanwhile if you're very concerned about the issue.
A pre-release with the security fix would be enough until the final build is finish.
I wonder why the dev need so long to fix the problem.
I wonder why the dev need so long to fix the problem.
Come on, it's fantastic, free and open source and the dev must have a day job to pay the bills and real life issues too. While users who can't compile it themselves would certainly appreciate an updated pre-release build at least, let's not try and act in an entitled and/or petty manner.
@kjk @zeniko Would it be possible to update http://www.sumatrapdfreader.org/prerelease.html with a new build? Thank you.
push
Hello, is the vulnerability fixed in the latest build (2016-11-26) at https://www.sumatrapdfreader.org/prerelease.html?
@SumatraPeter @kjk
Latest pre-release has been updated with this change: https://www.sumatrapdfreader.org/prerelease.html
Most helpful comment
Latest pre-release has been updated with this change: https://www.sumatrapdfreader.org/prerelease.html