Uploaded image for project: 'Keikai'
  1. Keikai
  2. KEIKAI-639

iText 2.1 security vulnerability

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 5.12.0
    • 5.11.0
    • None
    • Security Level: Jimmy
    • None
    • None

      Steps to Reproduce

      https://nvd.nist.gov/vuln/detail/CVE-2017-9096#range-6067478

      Current Result

      The vulnerability is about XML parser. That parse is never used in the keikai feature, exporting a PDF. The parser is used to read and parse XML files. The usage of iText in keikai is quite limited. Keikai only produces a PDF file with iText from a Book object. It never reads any XML content. So the vulnerability doesn't affect keikai.

      Expected Result


      Debug Information

      • itext changed its license after version 2, and the MPL/LGPL license we use are no longer available in itext 5 and later versions. Due to this change, we can not simply upgrade the itext version.

      Potential Solutions

      1. consider to replace it with https://github.com/LibrePDF/OpenPDF
      2. fork itext 2.1.7 open source repository and remove xml parser, build our own version

            DevChu DevChu
            hawk hawk
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: