Library Update request: PDF Extension

dev
1

In hope that it would bring more accurate rendering of PDF files in Lucee + fix known vulnerabilities within the included (and outdated) JAR dependencies, would kindly ask for an update to the current v1.2.0.10 PDF extension relying on the following dependencies - linked their new versions:

  • bouncycastle.mail (v1.38.0) → v1.79 / Oct 30, 2024
  • bouncycastle.prov (v1.38.0) → v1.79 / Oct 30, 2024
  • bouncycastle.tsp (v1.38.0) → v1.79 / Oct 30, 2024
  • org.lucee.flyingSaucerPDF (v9.1.20) → v9.11.2 / Dec 02, 2024
  • org.xhtmlrenderer.flying.saucer.core (v9.1.20) → v9.11.2 / Dec 02, 2024
  • org.lucee.itext (v2.1.7) → v5.5.13.4 / Jun 13, 2024, iText-core v9.0.0 / Nov 18, 2024
  • org.lucee.pdfbox (v3.0.0.RC101) → v3.03 / Aug 09, 2024
  • org.lucee.pdfbox-fontbox (v3.0.0.RC1) → v3.03 / Aug 09, 2024

Thank you.

2 Likes
2

Regarding vulnerabilities discovered (and fixed in the updated versions) within the above listed libraries, compared to the version currently included Lucee’s PDF extension:

3

The older iText was released under quite liberal licenses (a choice between MPL and LGPL) but new versions are under the far more restrictive AGPL, which might not be suitable to use here, or a commercial license. The last version under the old licenses was forked as OpenPDF (GitHub - LibrePDF/OpenPDF: OpenPDF is a free Java library for creating and editing PDF files, with a LGPL and MPL open source license. OpenPDF is based on a fork of iText. We welcome contributions from other developers. Please feel free to submit pull-requests and bugreports to this GitHub repository.) and development continues there.

One thing in particular is that old iText under jdk 11 reports “WARNING: Illegal reflective access by com.lowagie.text.pdf.MappedRandomAccessFile$1 (jar:/var/tomcat/lucee/config/server/lucee-server/bundles/org.lucee.itext-2.1.7.jar) to method java.nio.DirectByteBuffer.cleaner()” and afaik it’s not expected to work with some newer jdk versions.