Since we released iText 7 Suite 7.2.4 a couple of months back, some of you are probably wondering why we’re now releasing version 7.1.18. So, a little background information might be useful. As you may remember, we released iText 7 Suite version 7.2.0 back in October 2021, Since 7.2.0 was a major version release, it introduced some breaking changes such as a move to version 4.6.1 of the .NET Framework and some API revisions. So, at the same time we also released the iText 7.1.17 maintenance release which resolved some bugs and included security fixes from release 7.2.0.
We are committed to supporting our open source and commercial customers as much as possible, and we recognize that it’s not always easy to rewrite your implementations to account for such changes. Indeed, we continue to support our iText 5/iTextSharp users with the newest 184.108.40.206 maintenance release being released in February, despite iText 5 long being EOL.
So, in that same spirit we’re now releasing a new maintenance version of iText 7 Core, plus compatible versions of the pdfSweep and pdfXFA add-ons for our iText 7.1.x users. This release includes some recent CVE mitigations and backports from 7.2.x releases.
Of course, if you’re already using a version of 7.2.x and its compatible add-ons, you can ignore this release. On a related note, you can always refer to our compatibility matrix in case you’re wondering which add-on versions are compatible with which release of iText 7 Core.
Head over to the release notes linked below or continue reading for a quick summary of the most important changes.
First things first; this release addresses two CVE issues (CVE-2022-24196, CVE-2022-24197) which were fixed in iText 7 Core 7.2.2. These issues were disclosed during an external audit on our source code, which is a nice demonstration of open-source vs. the “security through obscurity” fallacy. Unlike closed-source software where code is only visible to the developers, with free and open-source software (FOSS), the code is open for everyone to see. Meaning there are more eyes looking for any potential bugs, and more developers willing to fix them.
There’s also a backport from our 7.2.1 release which fixes improper nesting of canvas operators when converting SVG to PDF by supporting q/Q Operators inside BT/ET text blocks and objects.
This release includes the security fix from pdfSweep 3.0.0 relating to the CompareTool functionality. This fix was introduced since it was possible to abuse GhostScript functionality to inject arbitrary parameters.
This includes a couple of backported fixes from pdfXFA 3.0.3. The first relates to the flattening process, where it could get stuck in an infinite loop when tabs were present in the XML. The second was where a JS property could not be read if the value was null.
Finally, a fix from pdfXFA 3.0.0 resolves an issue where a
breakBefore condition could switch back to a previous content area and overwrite it.
As usual, the Java and C# source code for the iText 7 Core PDF library can be found on GitHub, together with all our other open-source projects.
See you next time!