-
Bug
-
Resolution: Fixed
-
Major
-
5.11.0
-
None
-
Security Level: Jimmy
-
None
-
None
Steps to Reproduce
https://nvd.nist.gov/vuln/detail/CVE-2017-9096#range-6067478
Current Result
The vulnerability is about XML parser. That parse is never used in the keikai feature, exporting a PDF. The parser is used to read and parse XML files. The usage of iText in keikai is quite limited. Keikai only produces a PDF file with iText from a Book object. It never reads any XML content. So the vulnerability doesn't affect keikai.
Expected Result
Debug Information
- itext changed its license after version 2, and the MPL/LGPL license we use are no longer available in itext 5 and later versions. Due to this change, we can not simply upgrade the itext version.
Potential Solutions
1. consider to replace it with https://github.com/LibrePDF/OpenPDF
2. fork itext 2.1.7 open source repository and remove xml parser, build our own version
- relates to
-
KEIKAI-410 Issue1028Test complains iText 2.1.7
- Closed