Skip to content

chore(ulmo): backport security patch#849

Merged
Agrendalath merged 1 commit into
opencraft/ulmofrom
agrendalath/bb-10988-security-patches
Jul 8, 2026
Merged

chore(ulmo): backport security patch#849
Agrendalath merged 1 commit into
opencraft/ulmofrom
agrendalath/bb-10988-security-patches

Conversation

@Agrendalath

Copy link
Copy Markdown
Member

This backports GHSA-mj74-gfq3-2v9f to the common Ulmo branch. It's a clean merge.

Private-ref: BB-10988

The previous vendored pdf.js was 1.0.907 (May 2013), four major versions
behind upstream and within the range covered by Mozilla's
GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a
malicious PDF). 5.7.284 is well past the >= 4.2.67 fix line.

The replacement comes from Mozilla's prebuilt
`pdfjs-5.7.284-legacy-dist.zip` GitHub Release artifact rather than the
`pdfjs-dist` npm package because the npm package is library-only -- it
ships `pdf.mjs` plus a bare `PDFViewer` component class, but no
`viewer.html` / `viewer.mjs` / `viewer.css` / locale files. A full npm
integration would mean rewriting the viewer page against the bare
component, which is appropriate as a non-security follow-up but not as
the fix here.

The viewer page (`lms/templates/pdf_viewer.html`) is rewritten as a Mako
adaptation of upstream `web/viewer.html`. A `<base href>` makes the
viewer's relative asset URLs resolve against the vendored copy.

The analytics shim (`lms/static/js/pdf-analytics.js`) is rewritten in
vanilla JS against `PDFViewerApplication.eventBus`. Four analytics
events (`textbook.pdf.thumbnails.toggled`,
`textbook.pdf.thumbnail.navigated`, `textbook.pdf.outline.toggled`,
`textbook.pdf.page.scrolled`) no longer fire because the corresponding
UI elements were refactored away in pdf.js 4.x's Views Manager
redesign.

A new `scripts/refresh-pdfjs-vendor.sh` is the tool for future bumps:
update PDFJS_VERSION + PDFJS_LEGACY_ZIP_SHA256, re-run, commit.

Closes GHSA-mj74-gfq3-2v9f.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Agrendalath Agrendalath self-assigned this Jul 7, 2026
@samuelallan72

samuelallan72 commented Jul 8, 2026

Copy link
Copy Markdown
Member

Note: the upstream commit is openedx@4d2e220d6f (the commit on release/ulmo). Unfortunately it's not linked to from the advisory.

Nice that this can be a simple merge of the existing commit as-is, rather than a cherry pick. 👍

@samuelallan72 samuelallan72 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

  • I tested this: verified this was the same commit as upstream
  • I read through the code
  • I checked for accessibility issues
  • Includes documentation
  • [N/A because this is pulled from the upstream branch] Added to the Code Drift project board (for backports)

@viadanna viadanna left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@Agrendalath Agrendalath merged commit f0da25e into opencraft/ulmo Jul 8, 2026
48 checks passed
@Agrendalath Agrendalath deleted the agrendalath/bb-10988-security-patches branch July 8, 2026 12:32
Cup0fCoffee pushed a commit that referenced this pull request Jul 9, 2026
…-patches

chore(ulmo): backport security patch

(cherry picked from commit f0da25e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants