A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of today’s top PDF viewers, according to German software developer Hanno Böck.
The original bug affected the PDF parser component included with Evince, a document viewer app for Linux. It was discovered by fellow German software developer Andreas Bogk, who helped Evince fixed the flaw, and presented his findings at the 2011 Chaos Communication Camp.
The bug was mostly ignored since it was never deemed a major security issue and only affected a small app installed only on Linux desktops.
Six years later, this turned into a big issue after Böck discovered similar behavior in a large number of well-known PDF viewers.
For example, Böck found Bogk’s “loop” bug in PDFium, the library that allows Chrome to render PDF documents inside the browser without any plugins.
The pdf.js library, used in a similar capacity in Firefox, is also affected. Pdf.js is also used at GitHub to render PDF documents inside the website’s interface, without needing users to download the file and view it inside a third-party app. GitHub’s implementation is also vulnerable to endless loops that break PDF rendering on the site.
The Windows Runtime PDF Renderer library, or WinRT PDF, is also affected. This is Edge’s built-in PDF viewer, but also the default PDF parser for the Windows “Reader App,” the default PDF viewer app on Windows 8 and all later versions.
Similarly, open-source PDF parsers such as Ghostscript and QPDF are also affected, meaning the issue most likely trickles down to many other web and desktop PDF viewer apps where these two projects have been deployed.
Submitted by: Arnfried Walbrecht