fix: backport vendored pdf.js 5.7.284 to Teak (GHSA-mj74-gfq3-2v9f)#38889
fix: backport vendored pdf.js 5.7.284 to Teak (GHSA-mj74-gfq3-2v9f)#38889jignaciopm wants to merge 1 commit into
Conversation
|
Thanks for the pull request, @jignaciopm! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
The previous vendored pdf.js was 1.0.907 (May 2013), four major versions behind upstream and within the range covered by Mozilla's GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a malicious PDF). 5.7.284 is well past the >= 4.2.67 fix line. The replacement comes from Mozilla's prebuilt `pdfjs-5.7.284-legacy-dist.zip` GitHub Release artifact rather than the `pdfjs-dist` npm package because the npm package is library-only -- it ships `pdf.mjs` plus a bare `PDFViewer` component class, but no `viewer.html` / `viewer.mjs` / `viewer.css` / locale files. A full npm integration would mean rewriting the viewer page against the bare component, which is appropriate as a non-security follow-up but not as the fix here. The viewer page (`lms/templates/pdf_viewer.html`) is rewritten as a Mako adaptation of upstream `web/viewer.html`. A `<base href>` makes the viewer's relative asset URLs resolve against the vendored copy. The analytics shim (`lms/static/js/pdf-analytics.js`) is rewritten in vanilla JS against `PDFViewerApplication.eventBus`. Four analytics events (`textbook.pdf.thumbnails.toggled`, `textbook.pdf.thumbnail.navigated`, `textbook.pdf.outline.toggled`, `textbook.pdf.page.scrolled`) no longer fire because the corresponding UI elements were refactored away in pdf.js 4.x's Views Manager redesign. A new `scripts/refresh-pdfjs-vendor.sh` is the tool for future bumps: update PDFJS_VERSION + PDFJS_LEGACY_ZIP_SHA256, re-run, commit. Closes GHSA-mj74-gfq3-2v9f.
a90a2cb to
5b7aa95
Compare
Summary
Context
The official security release on July 7, 2026 patched Ulmo and Verawood but did not include Teak. Since the vendored pdf.js files are identical across all three release branches, this cherry-pick applies cleanly with no conflicts.
The previous vendored pdf.js was v1.0.907 (May 2013), four major versions behind upstream and within the range covered by Mozilla's GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a malicious PDF). v5.7.284 is well past the >= 4.2.67 fix line.
Test plan
git apply --checkpasses on release/teak.3 tagpdfjsLib.versionreturns"5.7.284"in browser console