Not logged in. Log in with Twitter

Sumatra PDF Reader forum

Small, fast, free PDF, EPUB, MOBI, CHM, DJVU, CBR, CBZ reader for Windows

SumatraPDF critical vulnerabilities, status?

The months old forum threads about unpatched vulnerabilities in SumatraPDF have no comments from any Sumatra maintainer.

http://forums.fofou.org/sumatrapdf/topic?id=3185291
http://forums.fofou.org/sumatrapdf/topic?id=3185315

Maintainers/devs, please inform on the status of the current prerelease "built on 2016-11-26"
http://www.sumatrapdfreader.org/prerelease.html
Does that prerelease version fix the vulnerabilities?

The latest standard version is from 2016-08-14 is unpatched. Until a patched version is released should not the maintainer remove all downloads of the vulnerabile version or at minimum post a big warning text "VULNERABLE! DO NOT USE WITH ANY UNTRUSTED PDF"?
eri on January 12, 2017
well the answer is no
the last change to openjpeg was done 3 years ago
https://github.com/sumatrapdfreader/sumatrapdf/tree/master/ext/openjpeg
according to the openjpeg devs the current security fix 2.1.2 has no api/abi changes to the one sumatrapdf uses (2.1.0)
https://github.com/uclouvain/openjpeg/blob/v2.1.2/NEWS.md
unfortunately sumatra does not use a vanilla library they've tweaked the openjpeg code so an inplace replacement is not possible but it shouldn't be too difficult.
*$* on January 20, 2017
Thanks for that. Do you know the source well enough to say more about what customizations to openjpeg SumatraPDF has done or what other code parts in SumatraPDF that need to change for a vanilla openjpeg dropin to work? Even partial information like that can on the margin increase the chance of a patch.

A pathed/updated openjpeg is best. But let us also think about other intermediary alternatives.

Can SumatraPDF display text only pdf files without openjpeg?
If yes, can openjpeg be easily disabled in source?
If yes, then a prerelease with openjpeg disabled would be a valuable goal. If 90% of SumatraPDF use is for documents that do not need openjpeg then such an intermediate fix would go a long way.

Another question, from my older post, is if there is some other tool that can be used to prescan downloaded pdf files to see if they contain an openjpeg exploit. Which such a tool Sumatra could still be safely used on downloaded pdf files if they're greenlighted by the tool.
eri on January 21, 2017
One more comment. It is remarkable that the SumatraPDF maintainer AFAICT has made no public comment the on months old critical vulnerabilities.

I don't doubt that the license keeps the maintainer legally isolated from any effects on users if the vulnerabilities are exploited. But if (when?) exploits happen that would reflect badly on the maintainer's reputation.

I know: FOSS software. No one user has any right to patches or updates. Yes. But doesn't the maintainer have a responsibility to at minimum inform new and old users of known vulnerabilities in the software he hosts?
eri on January 21, 2017
it was zeniko that did most of the external dependencies and extra features and unfortunately he's been gone for over a year
the change they (zeniko) did to the vanilla openjpeg 2.1.0 is here
https://github.com/sumatrapdfreader/sumatrapdf/blob/master/ext/_patches/openjpeg.patch
they did fix some overflows, I'm not sure if those wore the security holes, I think only zeniko can answer if sumatra is vulnerable to the openjpeg bug.
this is an open project and with all the external dependencies too big for one man to manage it, as this is done in their spare time I don't think Krzysztof can manage it on his own
*$* on January 21, 2017
this is an open source project and you use it at your own risk, the developers are not liable for anything
openjp[eg is used for decoding jpeg2000 images, and while almost 20 years old people still prefer and use the 40 yo jpeg format, I'm not sure I've ever opened a pdf file that used jpeg 2000 compression, most pdf generators still default to ordinary jpeg, removing the jpeg2000 library is not as simple as it sounds because libmupdf also needs it, I really think Krzysztof could fix this in an afternoon if he had the time
*$* on January 21, 2017
"removing the jpeg2000 library is not as simple as it sounds because libmupdf also needs it"

Ok, hard to say then if it is more work to update openjpeg or to remove it.

In general though removing dependancies and features might be a realistic strategy for SumatraPDF going forward. It is bizarre to see new feature requests in the forum and on github (toolbar this and toolbar that!) while vulnerabilities are unfixed.
eri on January 22, 2017
For readers new to this issue here are direct links to the issues and background information about the vulnerability.

https://github.com/sumatrapdfreader/sumatrapdf/issues/605
https://github.com/sumatrapdfreader/sumatrapdf/issues/629
http://thehackernews.com/2016/10/openjpeg-exploit-hack.html

"Researchers have disclosed a critical zero-day vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library, which could allow an attacker to remotely execute arbitrary code on the affected systems."

"The vulnerability has been assigned a CVSS score of 7.5, categorizing it as a high-severity bug."
eri on January 22, 2017
"It is remarkable that the SumatraPDF maintainer AFAICT has made no public comment the on months old critical vulnerabilities"

A polite wording, eri!

One must not use Sumatra PDF as a PDF reader for documents from untrusted sources, IOW "the internet".

Very sad, I liked it very much and I only know much more bloated or otherwise bad alternatives.
Oliver on January 24, 2017
I really think we should avoid using the terms bugs and vulnerabilities
we should just ask for an update to openjpeg it would get done a lot faster, according to the openjpeg devs there have been no api changes between openjpeg 2.1.0 that sumatra uses and bugfix 2.1.2 release
all that needs to be done is reaply part of the patches zeniko did for a new build
I tried doing it myself but I'm not a programmer and ended up with a few linking errors, maybe someone more knowledgeable can replace the library and offer the update on github?
ia on January 24, 2017
"we should avoid using the terms bugs and vulnerabilities"

Why? Do you think the above are not vulnerabilities do not affect SumatraPDF? How do you know?

"according to the openjpeg devs there have been no api changes between openjpeg 2.1.0 that sumatra uses and bugfix 2.1.2 release"

Source?

User $ linked to this before
https://github.com/sumatrapdfreader/sumatrapdf/blob/master/ext/_patches/openjpeg.patch
Do you think that is the only file that needs to be modified before a new version of openjpeg can be applied? I'm no programmer either, only know a little python. I've tried to build SumatraPDF once but didn't succeed.
eri on January 26, 2017
Source?
https://github.com/uclouvain/openjpeg/blob/v2.1.2/NEWS.md

OpenJPEG NEWS

More details in the Changelog
OpenJPEG 2.1.2

Bug fixes (including security fixes)
No API/ABI break compared to v2.1.1

OpenJPEG 2.1.1

Huge amount of critical bugfixes
Speed improvements
No API/ABI break compared to v2.1
ia on January 26, 2017

Powered by fofou, created by Krzysztof Kowalczyk