Not logged in. Log in with Twitter

Sumatra PDF Reader forum

Small, fast, free PDF, EPUB, MOBI, CHM, DJVU, CBR, CBZ reader for Windows

critical vulnerabilities - build source? update mupdf?

There are several unpatched critical vulnerabilities in the latest version of SumatraPDF and also in the latest prerelease version, as described in these issues

Some time has passed without a fix. This is free open source software (and other software) and no of use users has any ground to demand anything and developers have day jobs to prioritize. Still, a fix is urgent.

Can we the community of SumatraPDF users do anything to move things forward?

I can think of two things. One is to set up and donate to a bounty (money reward) for whoever submits a robust fix to the issues to the SumatraPDF github repo.

Another is to if needed make the steps needed to add a fix easier. To add and test a fix would involve building SumatraPDF from source. I haven't built it myself. But currently there is this instruction page
The instruction clearly assumes the reader already knows many things about building and building enviroments. But perhaps there is some steps to clarify there? I know to little to tell if the answer is yes or no. But perhaps someone else can answer that.

Any other suggestions on what we users could do, apart form as a precaution not read any newly downloaded pdf files in SumatraPDF until the issues are fixed?
eri on November 19, 2016
I bungled a sentence in the third paragraph above. It should instead read
" This is free open source software none of us users has any grounds to demand ..."
eri on November 19, 2016
If I understand the bug reports (click through from issues links above) the fix involves updating the mupdf components in SumatraPDF.

This is the mupdf source from two days ago, 2016-11-17

There is also a binary from the same date
eri on November 19, 2016
I'm worried that this issue is not resolved since such a long time.
Oliver on November 29, 2016
I am worried too.

If no patch is forthcoming very soon then perhaps the responsible thing to do might be to, if possible, get the devs to push out a warning to users who have enabled automatic checks for enabled. "Warning! A critical bug makes SumatraPDF no longer safe to use with files downloaded from the internet".

Two other issues:

Is there some tool to prescan downloaded pdf files to see if they contain the exploit? Then way Sumatra could still be used on downloaded pdf files that pass that test.

Can the effects of the exploit be prevented by running Sumatra in a sanboxing tool like Sandboxie?
eri on December 4, 2016
Are the fixes included in the latest pre-release?
Jazz on December 5, 2016

Powered by fofou, created by Krzysztof Kowalczyk