Source: pdfminer Version: 20221105+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for pdfminer. CVE-2025-64512[0]: | Pdfminer.six is a community maintained fork of the original | PDFMiner, a tool for extracting information from PDF documents. | Prior to version 20251107, pdfminer.six will execute arbitrary code | from a malicious pickle file if provided with a malicious PDF file. | The `CMapDB._load_data()` function in pdfminer.six uses | `pickle.loads()` to deserialize pickle files. These pickle files are | supposed to be part of the pdfminer.six distribution stored in the | `cmap/` directory, but a malicious PDF can specify an alternative | directory and filename as long as the filename ends in `.pickle.gz`. | A malicious, zipped pickle file can then contain code which will | automatically execute when the PDF is processed. Version 20251107 | fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-64512 https://www.cve.org/CVERecord?id=CVE-2025-64512 [1] https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp [2] https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
