Your message dated Sat, 04 Jul 2026 15:48:34 +0000
with message-id <[email protected]>
and subject line Bug#1141330: fixed in pillow 11.1.0-5+deb13u4
has caused the Debian Bug report #1141330,
regarding python3-pil: Writing long PDF fails with 
"PIL.PdfParser.PdfFormatError: trailer loop found"
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141330
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-pil
Version: 11.1.0-5+deb13u3
Severity: important
Tags: patch
X-Debbugs-Cc: [email protected], [email protected]

Dear Maintainer,

Writing long PDF file (250 pages) fails with:

    Traceback (most recent call last):
      File "/usr/lib/python3.14/site-packages/qubespdfconverter/client.py", 
line 436, in _publish
        await self._save_reps(pages)
      File "/usr/lib/python3.14/site-packages/qubespdfconverter/client.py", 
line 478, in _save_reps
        await asyncio.get_running_loop().run_in_executor(
        ...<8 lines>...
        )
      File "/usr/lib64/python3.14/concurrent/futures/thread.py", line 86, in run
        result = ctx.run(self.task)
      File "/usr/lib64/python3.14/concurrent/futures/thread.py", line 73, in run
        return fn(*args, **kwargs)
      File "/usr/lib64/python3.14/site-packages/PIL/Image.py", line 2713, in 
save
        save_handler(self, fp, filename)
        ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib64/python3.14/site-packages/PIL/PdfImagePlugin.py", line 
44, in _save_all
        _save(im, fp, filename, save_all=True)
        ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib64/python3.14/site-packages/PIL/PdfImagePlugin.py", line 
190, in _save
        existing_pdf = PdfParser.PdfParser(f=fp, filename=filename_str, 
mode="r+b")
      File "/usr/lib64/python3.14/site-packages/PIL/PdfParser.py", line 405, in 
__init__
        self.read_pdf_info()
        ~~~~~~~~~~~~~~~~~~^^
      File "/usr/lib64/python3.14/site-packages/PIL/PdfParser.py", line 583, in 
read_pdf_info
        self.read_trailer()
        ~~~~~~~~~~~~~~~~~^^
      File "/usr/lib64/python3.14/site-packages/PIL/PdfParser.py", line 686, in 
read_trailer
        self.read_prev_trailer(self.trailer_dict[b"Prev"])
        ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib64/python3.14/site-packages/PIL/PdfParser.py", line 706, in 
read_prev_trailer
        check_format_condition(
        ~~~~~~~~~~~~~~~~~~~~~~^
            trailer_dict[b"Prev"] not in processed_offsets, "trailer loop found"
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        )
        ^
      File "/usr/lib64/python3.14/site-packages/PIL/PdfParser.py", line 89, in 
check_format_condition
        raise PdfFormatError(error_message)
    PIL.PdfParser.PdfFormatError: trailer loop found

This started happening after updating python3-pil from 11.1.0-5+deb13u2 to 
11.1.0-5+deb13u3.
Looking at the changes, it's caused by CVE-2026-42310.patch.
Upstream has a fix for this issue already: 
https://github.com/python-pillow/Pillow/commit/78ee80a6fdd4b787f71880f10e66d6b989c6e58d

-- System Information:
Debian Release: 13.5
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.18.35-1.qubes.fc41.x86_64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-pil depends on:
ii  libc6                2.41-12+deb13u3
ii  libfreetype6         2.13.3+dfsg-1+deb13u1
ii  libimagequant0       2.18.0-1+b2
ii  libjpeg62-turbo      1:2.1.5-4
ii  liblcms2-2           2.16-2+deb13u2
ii  libopenjp2-7         2.5.3-2.1~deb13u2
ii  libraqm0             0.10.2-1
ii  libtiff6             4.7.0-3+deb13u2
ii  libwebp7             1.5.0-0.1
ii  libwebpdemux2        1.5.0-0.1
ii  libwebpmux3          1.5.0-0.1
ii  libxcb1              1.17.0-2+b1
ii  media-types          13.0.0
ii  python3              3.13.5-1
ii  python3-pil.imagetk  11.1.0-5+deb13u3
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

Versions of packages python3-pil recommends:
ii  python3-olefile  0.47-1

Versions of packages python3-pil suggests:
pn  python-pil-doc  <none>

-- no debconf information

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: pillow
Source-Version: 11.1.0-5+deb13u4
Done: Moritz Mühlenhoff <[email protected]>

We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated pillow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Jul 2026 22:03:44 +0200
Source: pillow
Architecture: source
Version: 11.1.0-5+deb13u4
Distribution: trixie
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1141330
Changes:
 pillow (11.1.0-5+deb13u4) trixie; urgency=medium
 .
   * Followup fix for CVE-2026-42310 (Closes: #1141330)
Checksums-Sha1:
 f2ce440ef8a2bb4a901c880aeb6deec85ec60f89 2375 pillow_11.1.0-5+deb13u4.dsc
 765c7756797cc0990254dda13567a19a1f60d503 20572 
pillow_11.1.0-5+deb13u4.debian.tar.xz
Checksums-Sha256:
 74032aba383e276666898f3b1b3b8ea0f777236fedc191f873e7f3a2391a2e46 2375 
pillow_11.1.0-5+deb13u4.dsc
 999159999b639d23bbf44d65ec9531b9178a1f817960b2eb800d5d4928323f5e 20572 
pillow_11.1.0-5+deb13u4.debian.tar.xz
Files:
 40ba019431be04a2004058cbaf3a4297 2375 python optional 
pillow_11.1.0-5+deb13u4.dsc
 590494e0732ad5afc0a4edb6ae9aae9b 20572 python optional 
pillow_11.1.0-5+deb13u4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmpII28ACgkQEMKTtsN8
TjYzDg/9FlgjtyNOosVNIACpEBjGu9dnTM+wgoMm27bLCUyxxzLYN1vdfYTYtgnK
dR2Lc77BRz6MG3pGt6Sz5nndtRPN4asHTyzrgRuTaq24NNTkMjVGjGTDWyRFWp5V
lpxdtpaxkeaCU+WiEkoAFM+x0Ozz1N7HLeTagQjQJRorsWMeiQFLrctX2eFRdUO2
3XbPIvINXwjB2Jl6cvCVUmLQ6JpxsQ750GmNutLpNcefUrK2QoIm7B2IGS0HmimL
naNiqx+0zwHHrs9FDX2MWh67YkpBsi5W/jzHT2fvL7DMjsWqBsB676KeJFHn0Z4W
ZVBVD4kRwhjzJ8MhfOeCc1FGqZuDSaUy+Ya5EV8ergd4aKhoo/DBJYWePPzSrjYT
ZPxe5KyLfQRpZtoygaVLgcLpqB9wiRunIH7hWlrGM9hI2MrJ/ykSeYvMD9esUrZt
uQHnCBEiw+ktgFUL0tuz1KQMCQTIrpiJnOI6G9xQMXcyjYLF/mmLS8mqiZ3iCrXO
Eb4IU/mDqLbCMTShpHuBHUJclbGMrgQAhz3WspmGNPDi4IpJkG+Y4WSozGRNV2Kw
1Kv+WuvgeElwdBS8OS7XdvNdbGQ3xHJWJCtkslLuYOMKlV4hZv6m0BqdXv6hfKAN
KGKHPuXlueC099tDUpaSRG9+aaoBncwXQI+gqG+E0xvUVzovoGg=
=3iTg
-----END PGP SIGNATURE-----

Attachment: pgp_kqz9Winjj.pgp
Description: PGP signature


--- End Message ---

Reply via email to