Control: tags 1120642 + patch Control: tags 1120642 + pending X-Debbugs-CC: [email protected]
Dear maintainer, I've prepared an NMU for pdfminer (versioned as 20221105+dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. I do realize the delay is choosen bit too short, if possible though I would like to base the trixie- and bookworm-security upload based on this, given we have the same version across the suites. If I still should cancel it, let me know please. Regards, Salvatore
diffstat for pdfminer-20221105+dfsg pdfminer-20221105+dfsg changelog | 8 ++ patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch | 38 ++++++++++ patches/series | 1 3 files changed, 47 insertions(+) diff -Nru pdfminer-20221105+dfsg/debian/changelog pdfminer-20221105+dfsg/debian/changelog --- pdfminer-20221105+dfsg/debian/changelog 2022-12-17 17:51:39.000000000 +0100 +++ pdfminer-20221105+dfsg/debian/changelog 2025-11-13 22:53:52.000000000 +0100 @@ -1,3 +1,11 @@ +pdfminer (20221105+dfsg-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix: arbitary code execution when loading pickle font files (CVE-2025-64512) + (Closes: #1120642) + + -- Salvatore Bonaccorso <[email protected]> Thu, 13 Nov 2025 22:53:52 +0100 + pdfminer (20221105+dfsg-1) unstable; urgency=medium * New upstream version 20221105. diff -Nru pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch --- pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch 1970-01-01 01:00:00.000000000 +0100 +++ pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch 2025-11-13 22:52:21.000000000 +0100 @@ -0,0 +1,38 @@ +From: Scott Tolley <[email protected]> +Date: Fri, 7 Nov 2025 20:47:46 +0100 +Subject: Fix: arbitary code execution when loading pickle font files +Origin: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 +Bug-Debian: https://bugs.debian.org/1120642 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-64512 + +Fixes https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp + +Fixes https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc +--- + pdfminer/cmapdb.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/pdfminer/cmapdb.py b/pdfminer/cmapdb.py +index 87d9870e024d..b3c7f2b018d4 100644 +--- a/pdfminer/cmapdb.py ++++ b/pdfminer/cmapdb.py +@@ -240,8 +240,14 @@ class CMapDB: + ) + for directory in cmap_paths: + path = os.path.join(directory, filename) +- if os.path.exists(path): +- gzfile = gzip.open(path) ++ # Resolve paths to prevent directory traversal ++ resolved_path = os.path.realpath(path) ++ resolved_directory = os.path.realpath(directory) ++ # Check if resolved path is within the intended directory ++ if not resolved_path.startswith(resolved_directory + os.sep): ++ continue ++ if os.path.exists(resolved_path): ++ gzfile = gzip.open(resolved_path) + try: + return type(str(name), (), pickle.loads(gzfile.read())) + finally: +-- +2.51.0 + diff -Nru pdfminer-20221105+dfsg/debian/patches/series pdfminer-20221105+dfsg/debian/patches/series --- pdfminer-20221105+dfsg/debian/patches/series 2022-12-17 17:51:39.000000000 +0100 +++ pdfminer-20221105+dfsg/debian/patches/series 2025-11-13 22:52:58.000000000 +0100 @@ -1,2 +1,3 @@ 0001-Update-patch-use-Python3.patch 0002-Avoid-timestamps-in-gzip-compressed-file-and-use-com.patch +0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch
