[tor-bugs] #7501 [Applications/Tor Browser]: Audit PDF.js
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 12 14:16:11 UTC 2017
#7501: Audit PDF.js
--------------------------------------+--------------------------
Reporter: mikeperry | Owner: gk
Type: task | Status: assigned
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by cypherpunks):
According to the top comment in this thread on HN
https://news.ycombinator.com/item?id=15167104
> PDFium used by Chrome internally uses Foxit PDF library to read and
extract information from the PDF.
>
> Google basically bought Foxit's library and open sourced it - but looks
like the open source version isn't keeping up with the upstream commercial
version of Foxit because the latest Foxit reader doesn't seem to have this
bug.
If this is true, and the commercial version is years ahead of the open
source version in terms of security fixes, then it's a serious security
issue. One wonders why they didn't go for Evince which was always open
source and cross-platform. Anyway, one should keep that in mind and if
possible lobby Mozilla to look into this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7501#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list