Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1141293,
regarding trixie-pu: package poppler/25.03.0-5+deb13u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141293
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:poppler
Control: severity 1127146 important
Control: block 1127146 by -1
User: [email protected]
Usertags: pu
NOTE: I am not a maintainer for this package but have taken responsibility for
fixing this problem with their permission: https://bugs.debian.org/1127146#19
My changes are staged at
https://salsa.debian.org/freedesktop-team/poppler/-/merge_requests/21 and a
maintainer will upload this subject to your approval.
[ Reason ]
Currently this bug only affects Poppler in Trixie: earlier releases as well as
Forky are unaffected.
Poppler is a PDF library that, among other features, facilitates the creation
and verification of digital signatures on PDF documents using X.509
certificates. A command-line utility, pdfsig, makes this available to users. A
couple graphical programs like KDE's Okular and GNOME's Papers also make this
available to users. This is a feature of the PDF format as defined by
international standards, and it's supposed to be interoperable with other
conforming applications. Users may digitally sign contracts or other important
documents, for example. Other folks using different PDF viewers can then
validate the signatures using public key infrastructure to get "proof" that a
document is authentic, or that some terms were witnessed or agreed to. These
signatures can be validated at least as long as the signing certificate remains
valid—usually for at least one year, and often longer. Signatures are also
useful for important and widely-shared documents like official announcements.
Code to generate specially-formatted date strings for PDF metadata was cleaned
up, switching from C-style string handling to C++-style string handling in
versions 24.03.0 and later. A mistake has been discovered in this [1] which
causes the terminating null byte of the string, as well as space characters to
the end of the buffer, to be considered "part of" the date string. This means
that instead of a modification time like "/M (D:20260629153055-04'00')" being
inserted into PDF object metadata, it instead looks like "/M
(D:20260629153055-04'00'X )", where 'X' is a
placeholder for an actual null byte in what's supposed to be a text field. This
is wrong and can confuse other applications.
Poppler is mainly a library for PDF *viewing* and seldom alters these files, so
it only creates PDF objects (ones needing such dates to be generated) in a
couple very specific circumstances, mainly adding PDF annotations or digital
signatures. This, as well as Poppler's tolerance of such malformed strings,
allowed the bug to hide for a little while. Practically the problems show as
soon as one starts sharing documents signed with Poppler. Other applications,
including the major proprietary ones, are seldom able to verify these
signatures. Debian users using free software only can be blissfully unaware of
this problem, which may only become evident when a signature needs to be
verified by someone else for some important purpose.
The upstream project does assert that distros have a responsibility to
incorporate the fix for this issue [2]; user frustration has been actually
observed when the problem is noticed well after the time that the document was
originally signed. Timely communication of this issue has been difficult and
their release practices don't align well with Debian's needs. Release cadence
is fast and there are no long-term branches maintained. It's not perfect for
us, but we'll make do—and serious but non-security issues like this seem to be
rare, fortunately.
[ Impact ]
Without the fix, users may continue signing PDF documents blissfully unaware
that they are, actually, invalid (as Poppler successfully validates its own
mangled signatures). These documents may not be able to have their signatures
validated when the time is necessary, or show errors in other widely-used
viewer applications.
[ Tests ]
Despite my attempts, I've not been able to make a DEP-8 test for this
particular issue, not using the tools in Trixie anyway. Except for LibreOffice
(which is apparently tolerant of the botched signatures), there isn't any other
straightforward and reliable tooling for checking PDF signatures. Therefore the
tests for this issue have been manual: I've used tools like 'mutool', 'qpdf',
and 'strings' to inspect the contents of signed documents with and without this
patch and can see that the problem is solved. I tried a couple web services
that allow uploading a document to check its signatures, and although one
didn't object to the malformed document, another did, but the documents created
with the patched Poppler are considered valid in any case.
Poppler does have a procedure for regression testing but those tests are in a
separate repository at https://gitlab.freedesktop.org/poppler/test and we do
not perform this in Debian. I assume this is because the sources for many of
those files are unavailable, and I don't think they intend for those tests to
be run by typical downstream packagers. (Note to self: this might be a good use
case for Salsa CI, as that will allow running tests not present in the Poppler
source package.) Because I'm not the package maintainer and a change here would
be invasive in any case, certainly for a stable release, this shall not impede
this update in Trixie.
[ Risks ]
The risks seem to be low. The code change is trivial, has been in upstream
releases for about a year, and also cherry-picked by other distros like Fedora
[3] into their stable releases when necessary. The upstream bug has a very
detailed analysis of how the problem was introduced and why it was able to go
unnoticed for a period of time. No alternative means to fix the problem exist.
[ Checklist ]
☑ *all* changes are documented in the d/changelog
☑ I reviewed all changes and I approve them (EXCEPT the maintainers of this
package haven't reviewed the change yet at this writing)
☑ attach debdiff against the package in (old)stable
☑ the issue is verified as fixed in unstable
[ Changes ]
Full debdiff is attached, but the sole change is to incorporate an upstream
patch [4] doing the following:
--- a/poppler/DateInfo.cc
+++ b/poppler/DateInfo.cc
@@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const time_t *timeA,
const char *format)
while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) {
buf.resize(bufLen *= 2);
}
+ buf.resize(buf.find('\0'));
return buf;
}
By resizing the buffer to match the actual length of the intended string, the
gunk in the rest of the buffer is truncated off.
[1]
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596#note_2921375
[2]
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1611#note_3319757
[3]
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1611#note_3113414
[4] https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch
diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog
--- poppler-25.03.0/debian/changelog 2026-06-06 05:07:43.000000000 -0400
+++ poppler-25.03.0/debian/changelog 2026-07-02 12:52:33.000000000 -0400
@@ -1,3 +1,13 @@
+poppler (25.03.0-5+deb13u4) trixie; urgency=medium
+
+ * Team upload
+ * Fix creation of ill-formed PDF document signatures (Poppler issue #1596)
+ - fixes "Invalid signature time when signing a PDF" (Closes: #1127146)
+ Signatures made with previous versions of Poppler may not be recognized
+ by other applications as valid.
+
+ -- John Scott <[email protected]> Thu, 02 Jul 2026 16:52:33 +0000
+
poppler (25.03.0-5+deb13u3) trixie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru poppler-25.03.0/debian/patches/malformed-moddate.patch poppler-25.03.0/debian/patches/malformed-moddate.patch
--- poppler-25.03.0/debian/patches/malformed-moddate.patch 1969-12-31 19:00:00.000000000 -0500
+++ poppler-25.03.0/debian/patches/malformed-moddate.patch 2026-07-01 11:49:51.000000000 -0400
@@ -0,0 +1,28 @@
+Description: DateInfo: Fix timeToStringWithFormat buffer length
+ strftime places a NULL-terminated string in the buffer, so the std::string
+ buffer needs to be resized to not include the terminator character
+ (or anything after it).
+ .
+ Without this fix, modification dates in altered PDF documents (such as when
+ adding a digital signature) are not truncated properly, instead padding
+ the date with a null byte and extra spaces until the end of the buffer is
+ reached. This bad syntax compromises the ability to verify the signature
+ with other applications, but the Poppler signatory has no indication of this.
+Origin: upstream, https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch
+Applied-Upstream: 25.06.0, https://gitlab.freedesktop.org/poppler/poppler/-/commit/55169105e121d5fbb7c50e2c744d750de5d0a7de
+Author: Erich E. Hoover <[email protected]>
+Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596
+Bug-Debian: https://bugs.debian.org/1127146
+Reviewed-By: John Scott <[email protected]>
+Last-Update: 2026-07-01
+
+--- poppler-25.03.0.orig/poppler/DateInfo.cc
++++ poppler-25.03.0/poppler/DateInfo.cc
+@@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const
+ while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) {
+ buf.resize(bufLen *= 2);
+ }
++ buf.resize(buf.find('\0'));
+ return buf;
+ }
+
diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series
--- poppler-25.03.0/debian/patches/series 2026-06-06 05:06:52.000000000 -0400
+++ poppler-25.03.0/debian/patches/series 2026-07-01 11:48:54.000000000 -0400
@@ -6,3 +6,4 @@
SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch
Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch
Check-for-duplicate-entries.patch
+malformed-moddate.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---