HIGH vulnerability: bump itextpdf from 5.5.3 to 5.5.12

[MethodLevelAnalyzer]

Vulnerability Information

Bumps itextpdf from 5.5.3 to 5.5.12.

Listed dependency com.itextpdf:itextpdf contains vulnerable methods which are called from this project. This vulnerability appears to affect itextpdf package versions lower than 5.5.12 (excluding). The vulnerability can be fixed by updating the version to 5.5.12, as can be seen from the description here.

Property	Value
Linked CVE	CVE-2017-9096
Number of affected methods	9
Severity	HIGH
Current version	5.5.3
Updated version	5.5.12
Backwards Compatibility	True

Vulnerable method calls

Methods in this repository	Used package methods	Origin vulnerable method
com.clickntap.utils/ImageUtils.expand(BufferedImage img, int w, int h, int x, int y)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, int width, int height, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.drawImage(BufferedImage img1, BufferedImage img2, int x, int y, int w, int h)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, int width, int height, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.drawSubImage(BufferedImage img1, BufferedImage img2, int x, int y, int w, int h)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, int width, int height, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.expand(BufferedImage img, int w, int h)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, int width, int height, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.mask(BufferedImage img, Color color)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.drawText(BufferedImage image, String s, int x, int y, int width, int height, float linespace, Font font, Color color)	com.itextpdf.awt/PdfGraphics2D.drawString(String s, int x, int y)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.letterbox(BufferedImage bufferedImage, int width, int height, Color backColor)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, int width, int height, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.tool.pdf/PDF.render(PDFContext ctx, String templateName, Number width, Number height, OutputStream out)	com.itextpdf.text/Document.close()	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.tool.pdf/PDF.render(PDFContext ctx, String templateName, Number width, Number height, OutputStream out)	com.itextpdf.text.pdf/PdfCopy.close()	com.itextpdf.text.pdf/XfaForm(PdfReader reader)
com.clickntap.utils/ImageUtils.saveAsJpeg(BufferedImage image, int quality, OutputStream out)	com.itextpdf.awt/PdfGraphics2D.drawImage(Image img, int x, int y, ImageObserver observer)	com.itextpdf.text.pdf/XfaForm(PdfReader reader)

What do the columns represent?

The 1st column in the table indicates the method in this repository that was found to be affected
by vulnerable methods from the itextpdf package.

The 2nd column indicates the itextpdf method that was directly called from this repository.

The 3rd column indicates the origin vulnerable method in the itextpdf package. According to our dataset, this is one of the methods that produces the CVE-2017-9096 vulnerability. This method was found to be internally chain-called in the itextpdf package by the method listed in column 2.

How were the results generated?

This vulnerability was analyzed specifically for usage in this project using the FASTEN Project. Statical method-level analysis was used to check for usage of vulnerable methods in the project.

Method calls between your project and itextpdf have been mapped using a directed graph. From this graph, it could be then be seen whether any vulnerable itextpdf methods are being called from within your project.

Research Scope

We are a team of 3 BSc Computer Science students at the TU Delft. Our goal is to conduct research on how developers react to method-level vulnerability information that affects their projects. We would highly appreciate if you could help us with our research and please tick statements which apply to you below.

First impression checklist

• I have read this pull request description.
• I was aware of this dependency vulnerability affecting my project before being informed by this Pull Request.
• I was convinced by the provided method information that this vulnerability indeed affects my project.
• After seeing the provided method-level information, I plan on fixing the vulnerability.

After fixing vulnerability checklist

• I found that the provided method information has made my process of dealing with the vulnerable dependency easier.
• I have given priority to the task of fixing the vulnerability over other project tasks that are yet to be completed.
• I would like to receive this kind of method information in future vulnerable dependency Pull Request descriptions.

[MethodLevelAnalyzer]

Hi, I am contacting you on behalf of the research team from the Technical University of Delft, The Netherlands. In our recent study, we have carefully selected a limited number of active and professional repositories from the open-source community to learn from. So every feedback counts! :)

We appreciate it if you could contribute to our research by answering just a few questions (either using the above checkboxes or the fully anonymous questionnaire from here: https://forms.gle/n6oXZUwYysMUnVDn6). This will take less than a minute.
Moreover, we will give credit to your repository in the upcoming paper.