Skip to content

fix: backport vendored pdf.js bump to 5.7.284 (GHSA-mj74-gfq3-2v9f)#322

Merged
jignaciopm merged 1 commit into
ednx-release/teak.masterfrom
jipm/backport-pdfjs-cve-teak
Jul 17, 2026
Merged

fix: backport vendored pdf.js bump to 5.7.284 (GHSA-mj74-gfq3-2v9f)#322
jignaciopm merged 1 commit into
ednx-release/teak.masterfrom
jipm/backport-pdfjs-cve-teak

Conversation

@jignaciopm

@jignaciopm jignaciopm commented Jul 15, 2026

Copy link
Copy Markdown

Summary

Context

The official security release on July 7, 2026 patched Ulmo and Verawood but did not include Teak. Since the vendored pdf.js files are identical across all three release branches, this cherry-pick applies cleanly with no conflicts.

The previous vendored pdf.js was v1.0.907 (May 2013), four major versions behind upstream and within the range covered by Mozilla's GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a malicious PDF). v5.7.284 is well past the >= 4.2.67 fix line.

Test plan

  • Verify Docker image builds without patch conflicts
  • Open a course with a PDF textbook and confirm the viewer renders correctly
  • Check pdfjsLib.version in browser console returns "5.7.284"
  • Confirm page navigation and zoom work in the PDF viewer
  • No JavaScript execution when opening a PDF with embedded JS actions

The previous vendored pdf.js was 1.0.907 (May 2013), four major versions
behind upstream and within the range covered by Mozilla's
GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a
malicious PDF). 5.7.284 is well past the >= 4.2.67 fix line.

The replacement comes from Mozilla's prebuilt
`pdfjs-5.7.284-legacy-dist.zip` GitHub Release artifact rather than the
`pdfjs-dist` npm package because the npm package is library-only -- it
ships `pdf.mjs` plus a bare `PDFViewer` component class, but no
`viewer.html` / `viewer.mjs` / `viewer.css` / locale files. A full npm
integration would mean rewriting the viewer page against the bare
component, which is appropriate as a non-security follow-up but not as
the fix here.

The viewer page (`lms/templates/pdf_viewer.html`) is rewritten as a Mako
adaptation of upstream `web/viewer.html`. A `<base href>` makes the
viewer's relative asset URLs resolve against the vendored copy.

The analytics shim (`lms/static/js/pdf-analytics.js`) is rewritten in
vanilla JS against `PDFViewerApplication.eventBus`. Four analytics
events (`textbook.pdf.thumbnails.toggled`,
`textbook.pdf.thumbnail.navigated`, `textbook.pdf.outline.toggled`,
`textbook.pdf.page.scrolled`) no longer fire because the corresponding
UI elements were refactored away in pdf.js 4.x's Views Manager
redesign.

A new `scripts/refresh-pdfjs-vendor.sh` is the tool for future bumps:
update PDFJS_VERSION + PDFJS_LEGACY_ZIP_SHA256, re-run, commit.

Closes GHSA-mj74-gfq3-2v9f.
@jignaciopm
jignaciopm force-pushed the jipm/backport-pdfjs-cve-teak branch from 95b6493 to 3dcffdb Compare July 15, 2026 05:03
@jignaciopm
jignaciopm requested review from DeimerM, Gi-ron and magajh July 16, 2026 14:43
@jignaciopm
jignaciopm merged commit 7ee0882 into ednx-release/teak.master Jul 17, 2026
46 of 47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants