Audit PDF.js

added component::applications/tor browser owner::tbb-team priority::medium severity::normal status::new tbb-security type::task labels

Bleh. It appears our font limiting patch interferes with this. The good news is that it looks like this thing represents fonts as WebFonts, so if we implement #5798 (moved) (and exempt WebFonts from our counts), it should work just fine.

Trac:
Cc: N/A to g.koppen@jondos.de

Mozilla has started shipping this code as part of Firefox (but off by default) in Firefox 18. I am not sure what this means for security updates. I presume the entry in https://addons.mozilla.org/en-us/firefox/addon/pdfjs/ will continue to get them, at least until the Firefox version is on by default?

Replying to mikeperry:

Mozilla has started shipping this code as part of Firefox (but off by default) in Firefox 18.

Pdf.js is already included in FF 17.0.2 ESR

Hrmm. Well, my concerns about security updates apply doubly to the PDF.js in FF17-ESR. They may not consider those in need of backport since it is off by default and has no UI to enable it. Unless we hear otherwise, it is probably wisest to stick with the AMO version.

Ok, I spoke with a couple Mozilla folks, and here's the status:

They do not plan to backport security updates for PDF.js to FF17-ESR. We have to use the addon.
They plan on providing updates to the addon until FF24-ESR.
PDF.js does try to obey Private Browsing Mode. It tries to avoid touching the disk if PBM is on.
They do not evaluate PDF Javascript (https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.pdf)
It is possible to evaluate PDFs in third party iframes and object tags.

Point 5 means that we have to test the PDF caching behavior for PDF.js to ensure it is similarly isolated per URL bar domain like everything else. If not, we may not be able to include it in TBB-stable until we find a way to prevent 3rd party tracking via PDFs, or simply find a way to disable 3rd party PDF loading.

Trac:
Parent: #7248 (closed) to N/A
Keywords: N/A deleted, tbb-usability added
Cc: g.koppen@jondos.de to g.koppen@jondos.de, isis

I'd like to look at https://www.mozilla.org/security/announce/2013/mfsa2013-99.html closer as well as this is pretty scary.

Trac:
Cc: g.koppen@jondos.de, isis to gk, isis

Version 1.0.x landed some days ago on mozilla-central and will therefore be included in ESR 31. Time to do a thorough audit, I guess... FWIW: they still don't evaluate PDF JavaScript and currently don't plan to do so.

Trac:
Owner: mikeperry to gk
Keywords: N/A deleted, ff31-esr added
Status: new to assigned
Summary: Include PDF.js extension in TBB to Audit PDF.js

Trac:
Cc: gk, isis to gk, isis, intrigeri

Trac:
Keywords: N/A deleted, needs-triage added

Trac:
Keywords: needs-triage deleted, N/A added
Component: Tor bundles/installation to Tor Browser

Trac:
Keywords: N/A deleted, TorBrowserTeam201409 added

Trac:
Keywords: TorBrowserTeam201409 deleted, TorBrowserTeam201410 added

Trac:
Keywords: TorBrowserTeam201410 deleted, N/A added

https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/ (although this is scrictly speaking no pdf.js bug)

Has this been resolved?

Trac:
Severity: N/A to Normal
Sponsor: N/A to N/A

Replying to Sebastian:

Has this been resolved?

Alas, not yet.

Review with every ESR.

Trac:
Keywords: ff31-esr deleted, tbb-linkability, ff52-esr added
Reviewer: N/A to N/A

Is this even worth it now with the move to replace pdf.js with the one from Chromium (PDFium which is written in C++ = memory unsafe) for ff59? https://bugzilla.mozilla.org/show_bug.cgi?id=1345330

Indeed, Mozilla realized that it needed a full-featured PDF processor, especially for ISO 32000-2:2017, and no PDF.js could cope with it. So now we have ~~Adobe ~~ PDF Plugin integrated into the chrome process for https://bugzilla.mozilla.org/show_bug.cgi?id=1347444.

Trac:
Keywords: tbb-usability, tbb-linkability, ff52-esr deleted, tbb-security added

According to a comment by a Platform Engineer at Mozilla, PDFium may land in 58 but he says "don't quote me on that", so there's a high chance that in a worst case scenario it would be already available for FF59-esr.

According to the top comment in this thread on HN https://news.ycombinator.com/item?id=15167104

PDFium used by Chrome internally uses Foxit PDF library to read and extract information from the PDF.

Google basically bought Foxit's library and open sourced it - but looks like the open source version isn't keeping up with the upstream commercial version of Foxit because the latest Foxit reader doesn't seem to have this bug.

If this is true, and the commercial version is years ahead of the open source version in terms of security fixes, then it's a serious security issue. One wonders why they didn't go for Evince which was always open source and cross-platform. Anyway, one should keep that in mind and if possible lobby Mozilla to look into this.

According to Dave Townsend, there are no "plans to integrate PDFium at this point", so unless there's a big surprise FF59 will still be stuck with pdfjs :(

Seems more and more like PDFium integration with Firefox is dead, so putting review with every ESR again.

Trac:
Keywords: N/A deleted, ff60-esr added

It's official folks, Project Mortar IS DEAD https://wiki.mozilla.org/Mortar_Project

The Mortar experiment has concluded. Mozilla does not consider the PDF use case justifies the burden of implementing and maintaining PDFium and a Pepper API implementation in Gecko.

So the ff60-esr keyword was justified after all.

re-assigning

Trac:
Owner: gk to tbb-team

Trac:
Keywords: ff60-esr deleted, N/A added
Status: assigned to new

mentioned in issue #15018 (moved)

mentioned in issue #21431 (moved)

mentioned in issue #23397 (moved)

moved to tpo/applications/tor-browser#7501 (closed)

Audit PDF.js

Child items ...

Activity