This is very helpful, thanks for clarification! > Am 07.11.2023 um 23:45 schrieb Peter Wyatt <petervwy...@gmail.com>: > > If the pen tester is relying in what the Exiftool reports, then they should > know that it is reporting the version of ICC color profile itself (as per the > version header field in the ICC file) - not the version of the ICC library > (lcms). Have them review the exiftool tool source code: > https://github.com/exiftool/exiftool/blob/master/lib/Image/ExifTool/ICC_Profile.pm > >> -----Original Message----- >> From: Florian Schlittgen <schlitt...@liwa.de> >> Sent: Wednesday, November 8, 2023 2:59 AM >> To: users@pdfbox.apache.org >> Subject: Re: Re: Little CMS >> >> Thanks for your feedback. >> The Java version I am currently using is corretto-11.0.21, so this is the >> up-to-date version of Java 11. >> Is the assumption correct that the metadata field 'Profile Version' reflects >> the Little CMS version? >> >> Kind regards, Florian >> >>> Am 07.11.2023 um 16:34 schrieb sahy...@fileaffairs.de: >>> >>> LittleCMS is bundled inside Java so the version being used depends on >>> your Java version and is not something PDFBox provides directly. So if >>> you are really using LittleCMS 2.3 you have a very old JDK running and >>> not done any updates to that. >>> >>> With kind regards >>> Maruan >>> >>> Am Dienstag, dem 07.11.2023 um 15:40 +0100 schrieb Florian Schlittgen: >>>> Hi, >>>> >>>> we are using PDFBox in a web application which was recently subjected >>>> to a penetration test. The tester found out that PDFBox is using >>>> 'Little CMS' version 2.3.0, at least that's what the metadata of the >>>> generated PDF says: >>>> >>>> ======= >>>> $ exiftool test.pdf >>>> […] >>>> Profile CCM Type : Little CMS >>>> Profile Version : 2.3.0 >>>> […] >>>> Device Manufacturer : Little CMS >>>> […] >>>> Profile Creator : Little CMS >>>> […] >>>> ======= >>>> >>>> According to the CVEdetails >>>> (https://www.cvedetails.com/vulnerability-list/vendor_id-8840/product >>>> _id-15596/Littlecms-Little-Cms-Color-Engine.html), at least five >>>> vulnerabilities have been published since the release date of the >>>> software in 2011. These include CVE-2013-7455, a vulnerability that >>>> has been given a CVSS rating of 10.0. >>>> >>>> How can this be classified from PDFBox's point of view? How should we >>>> deal with this security risk or is it possibly not a risk at all? >>>> >>>> Thank you very much for your assessment! >>>> Best regards, >>>> Florian >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org >>> For additional commands, e-mail: users-h...@pdfbox.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: users-h...@pdfbox.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
