Re: Little CMS

Tue, 07 Nov 2023 09:03:23 -0800 

Maybe a JPEG / JPEG2000 within the PDF? Or some XMP data within the PDF?

Tilman

On 07.11.2023 16:59, Florian Schlittgen wrote:

Thanks for your feedback.
The Java version I am currently using is corretto-11.0.21, so this is the 
up-to-date version of Java 11.
Is the assumption correct that the metadata field 'Profile Version' reflects 
the Little CMS version?

Kind regards, Florian


Am 07.11.2023 um 16:34 schrieb sahy...@fileaffairs.de:

LittleCMS is bundled inside Java so the version being used depends on
your Java version and is not something PDFBox provides directly. So if
you are really using LittleCMS 2.3 you have a very old JDK running and
not done any updates to that.

With kind regards
Maruan

Am Dienstag, dem 07.11.2023 um 15:40 +0100 schrieb Florian Schlittgen:

Hi,

we are using PDFBox in a web application which was recently subjected
to a penetration test. The tester found out that PDFBox is using
'Little CMS' version 2.3.0, at least that's what the metadata of the
generated PDF says:

=======
$ exiftool test.pdf
[…]
Profile CCM Type      : Little CMS
Profile Version           : 2.3.0
[…]
Device Manufacturer : Little CMS
[…]
Profile Creator           : Little CMS
[…]
=======

According to the CVEdetails
(https://www.cvedetails.com/vulnerability-list/vendor_id-8840/product
_id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five
vulnerabilities have been published since the release date of the
software in 2011. These include CVE-2013-7455, a vulnerability that
has been given a CVSS rating of 10.0.

How can this be classified from PDFBox's point of view? How should we
deal with this security risk or is it possibly not a risk at all?

Thank you very much for your assessment!
Best regards,
Florian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org

Reply via email to