Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-4191

Initialization vectors should be randomly generated for proper security guarantees

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.9, 3.0.0 PDFBox
    • Fix Version/s: None
    • Component/s: Crypto
    • Labels:
      None

      Description

      Rumen Paletov creates the following issue for Android-Pdfbox on github:

      As part of some research about the common crypto mistakes that developers make, I noticed that your application has one of them.

      In StandardSecurityHandler.prepareEncryptionDictRev6 you're initializing Cipher instances with a static IV of 0s which is insecure. More details about this issue and how to fix it are available here.

      This is true for "our" PDFBox as well

        Attachments

          Activity

            People

            • Assignee:
              lehmi Andreas Lehmkühler
              Reporter:
              lehmi Andreas Lehmkühler
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: