iText Core/Community 7.2.2
It's already Q2 of 2022, and so we're pleased to announce the release of iText Core 7.2.2. Your favorite PDF library for Java and .NET (and more!)
We've updated some dependencies such as Bouncy Castle to 1.70, Log4j to 1.7.33, and Logback to 1.2.10.
We've made some improvements to iText's parsing logic for PDF cross-reference structures. This was to prevent the potential for a PDF's structure to be maliciously created to cause infinite loops or other issues.
We've also fixed a bug relating to CFF font parsing. As noted in the specification, CFF is a font format which was developed by Adobe to act as a compact container for one or more fonts by using lossless compression. In cases when a font's CID does not correspond to its GID, iText could incorrectly read its cmap values resulting in incorrect glyphs being displayed in PDF viewers. To address this, the font parsing logic has been rewritten to account for fonts where the glyph IDs do not match the CIDs, and will now handle them in the correct and expected manner.
This release also addresses two CVE issues (CVE-2022-24196, and CVE-2022-24197) which were disclosed. See the Changelog or the linked issues for more details.
Improvements
- Updated some Java dependencies (Bouncy Castle 1.70, Logback 1.2.10, slf4j 1.7.33)
Bugs
- Fixed CFF font-parsing logic
- CVE fixes
CVE-2022-24196 - out-of-memory error via the component readStreamBytesRaw
CVE-2022-24197 - stack-based buffer overflow via the component ByteBuffer.append