sav-pdf-viewer-pro
sav-pdf-viewer-pro copied to clipboard
Sav22999
Potentially vulnerable PDF library used
I am going though apps that use old native libraries on F-Droid: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496/
Your app uses com.github.barteksc:android-pdf-viewer:2.8.2 using PDFium@32b639d from 2016-01-14, which seems to have ~55+ known security issues. https://github.com/Sav22999/sav-pdf-viewer-pro/blob/1.9/app/build.gradle#L54
This was mentioned in #12, #20, and #25 but closed.
Newer versions do not seem to be available.
@SkewedZeppelin yes, I know about the security issue, and I'm searching a new library which can replace the current one, with same performance of opening and viewing. Can you suggest something?
Up-to-date versions of MuPDF, iTextPDF, and PDFBox are options, although I haven't implemented them and wouldn't know their features or performance characteristics.
Wondered what the progress is with the fixing of this bug. I really like this app and would love for it to be safe to use again.
@AxeldeWater Hi! Thanks for the interesting. Currently I'm a bit busy with University and work, but this is in the "priority" on my to-do list.
Sorry for the waiting
@f242 I'm looking for, I was trying to implement with muPdF (or similar) but it's complicated
Not going to lie, reading the app description and title going about how safe the app is adds a touch of irony (and confusion) when one sees the security alert on the bottom Should probably at least cut that out until the vulnerability is fixed (and your safety claim becomes true again)
:( https://gitlab.com/fdroid/fdroiddata/-/commit/f5bd0838bac06c8abdae706dc296f8a929e796f2 fyi
F-Droid will remove your app via the above commit. Not because it is unsafe - that is not an issue - but because the Pdfium library is not built from source. And unfortunately this seems impossible with a simple build process...
We managed to build from source, but it is too complex to understand. See https://gitlab.com/fdroid/fdroiddata/-/merge_requests/12658
What a shitshow...
Also, removing an app from the store without warning the users may lead to users blindly think their app are updated by the store and feel safe, while they aren't anymore...
New release: https://github.com/Sav22999/sav-pdf-viewer-pro/releases/tag/1.13.2 without fixing this?
@yozachar To fix this issue it's required to replace the PDF library. I tried some others but I continue to prefer this (the other libraries are slower or doesn't have some features). I'm continuing, anyway, to look for a new open source library. I'm sorry. If you want to contribute to the developing you can create a PR with a better library
If it helps, I found this fork of the library used in this project, the fork has been updated, text search and other functions have been implemented.
https://github.com/TEA-ebook/AndroidPdfViewer
Could someone try? Having text search as well would be very helpful
@Sav22999 my fork
- use lion1988dev/AndroidPdfViewer
- upgrade all deps and gradle plugin
- del
.idea,app/debug,app/release,releaseon repo, add to.gitignore - android api compat change:
Handler,Fullscreen,onBackPressed,getColor
pdfium is not built from source by lion1988dev either, which was the reason for F-Droid to remove the app.
@woheller69 has pdfium source code only: https://github.com/TEA-ebook/AndroidPdfViewer https://gitlab.com/mudlej_android/mj_pdf_reader
I see binaries: https://github.com/TEA-ebook/AndroidPdfViewer/tree/main/pdfium/src/main/jni/lib/armeabi-v7a
For MjPdf wie managed to build pdfium from source but F-Droid does not like the build tools required. See link above. In my view pdfium is dead for usage on F-Droid.