Ocular fully vulnerable to shadow pdf attacks

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1B-4_24117_paper.pdf

“Our results reveal that 16 (including Adobe Acrobat and
Foxit Reader) of the 29 PDF viewers tested were vulnerable
to shadow attacks. We introduce our tool PDF-Attacker which
can automatically generate shadow attacks. In addition, we
implemented PDF-Detector to prevent shadow documents from
being signed or forensically detect exploits after being applied to
signed PDFs.”

@pattiM:

In the paper, they’re talking about Okular version 1.9.3 – here on Leap 15.2 the standard Okular version is 1.10.2 …

Bottom line, maybe it’s been quietly repaired or, maybe not …

Maybe a bugreport is better than writing here?

@pattiM:

Yes – an openSUSE Bug Report – point it to the build responsible person – <Welcome - openSUSE Build Service; / <Request 814011: Submit okular - openSUSE Build Service.

  • It may well be that, a CVE has been raised to track this issue …

My guess is that the Okular folks know this stuff well, so my concern was mainly to let LEAP users know it. Also the LEAP gods, wizards, etc.

OK, I’ll do that. Also, I’ve noticed a couple of my banks are reporting that the firefox version in 15.2 is no longer “supported.” (Latest Brave works OK. Didn’t try Chromium.) Do you think that might be a bug report to the overall Suse builders - that is, to move to a much more recent ff version?

Okular bug reported in a comment to both sites.

I usually ignore that. There are two firefox versions – the standard version and the “esr” (extended support release) version. Many site look only for the standard firefox version and complain even when you have the latest esr version.

You can see, that when the firefox-esr is out-of-support, you get the newer esr version:

zypper se -s mozilla
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...

S  | Name                                   | Type       | Version              | Arch   | Repository
---+----------------------------------------+------------+----------------------+--------+-----------
i+ | MozillaFirefox                         | Paket      | 78.8.0-lp152.2.49.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.7.1-lp152.2.46.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.7.0-lp152.2.43.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.6.1-lp152.2.40.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.6.0-lp152.2.34.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.5.0-lp152.2.33.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.5.0-lp152.2.30.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.4.1-lp152.2.27.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.4.0-lp152.2.24.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.3.0-lp152.2.21.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.2.0-lp152.2.18.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.1.0-lp152.2.15.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.1.0-lp152.2.12.1  | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.0.2-lp152.2.9.1   | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 78.0.1-lp152.2.5.1   | x86_64 | OSS-Update
v  | MozillaFirefox                         | Paket      | 68.9.0-lp152.1.1     | x86_64 | OSS

Not only banks, also the registration for THE virus vaccination – I ignored it …

  • Sadly, my banks are also quite suspicious about Linux and, open source HBCI banking applications – they seem to be very pro-Redmond and pro-Alphabet (Google – Android) – their support for Apple also seems to be fairly minimal …

The good news is, that Free Software Foundation Europe – FSFE – seems to be making progress with changing views in the European Parliament. And, some of the German government’s applications, such as THE Virus tracking App, are open source …

And in case you absolutely want the latest Firefox version you can add the Mozilla repository:

kasi@pluto:~> zypper lr -u Mozilla 
Alias                       : openSUSE_Leap_15.2_2 
Name                        : Mozilla 
URI                         : http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_15.2/
**pluto:~ #** zypper se -s mozilla 
Loading repository data... 
Reading installed packages... 

S  | Name                                   | Type       | Version              | Arch   | Repository 
---+----------------------------------------+------------+----------------------+--------+-------------------------------- 
i+ | MozillaFirefox                         | package    | 86.0-lp152.2.1       | x86_64 | (System Packages) 
v  | MozillaFirefox                         | package    | 86.0.1-lp152.1.1     | x86_64 | Mozilla

As told:

firefox -v && zypper se -si firefox
Mozilla Firefox 78.8.0esr
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...

S  | Name                               | Type  | Version             | Arch   | Repository
---+------------------------------------+-------+---------------------+--------+-----------
i+ | MozillaFirefox                     | Paket | 78.8.0-lp152.2.49.1 | x86_64 | OSS-Update
i+ | MozillaFirefox-branding-openSUSE   | Paket | 68-lp152.1.1        | x86_64 | OSS
i+ | MozillaFirefox-translations-common | Paket | 78.8.0-lp152.2.49.1 | x86_64 | OSS-Update

Firefox 78.8 esr is from Feb 2021…

Hi Sauerland,

This confuses me a little. When wanting to install the esr version, how can one tell it is it by the packages? Apparently your version shows the “esr” but I can’t find any hint in the package list. In the Mozilla repo the package seems to be:

  | firefox-esr                        | package    | 78.8.0-lp152.1.2    | x86_64 | Mozilla

You get only the ESR Version in the OSS or Update Repo. ESR will get only security fixes.
So its easier to maintain.

See here, the graphic shows it:
https://support.mozilla.org/en-US/kb/firefox-esr-release-cycle

Firefox and Firefox-esr are in the mozilla Repo, so you need something to distinguish it.
Thats the esr I think.

Yep. I did just check what “ESR” actually is. This is what I didn’t know:

You get only the ESR Version in the OSS or Update Repo.

We never stop learning. :wink: Thanks a lot!

This is great info! Thank you - I saw ESR in the repos. I had stopped updating to the “latest version” of ff b/c of the versioning issue which originally spawned this thread.

I’m becoming a tad worried about remaining committed to ff/tb. Although thunderbird seems very stable; ff doesn’t. In addition to the versioning problem(s), he behavior of ff on many websites has changed. Basically it’s very slow to connect to many sites (I don’t know if this is related to the way ff accesses the internet, ff-code security, cloudflare, or …?). When I use brave, there are no such slowdowns. I suppose it could be ABP/Ghostry/noscript/httpsE/etc., but I believe similar codes are installed default on Brave - it certainly seems so - I never see ads, for instance. (I am not sure about chrome/chromium.)

My IT friends (mostly small-company db maintenance on macs) don’t seem to care about security of all kinds, even though the world is basically blowing-up. I’d like to avoid the implied problems, if possible…
(see, for example:
https://www.schneier.com/blog/archives/2021/03/more-on-the-chinese-zero-day-microsoft-exchange-hack.html )