Your message dated Sat, 15 Nov 2025 22:19:13 +0000
with message-id <[email protected]>
and subject line Bug#1120642: fixed in pdfminer 20221105+dfsg-1.1
has caused the Debian Bug report #1120642,
regarding pdfminer: CVE-2025-64512
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120642: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120642
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pdfminer
Version: 20221105+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pdfminer.
CVE-2025-64512[0]:
| Pdfminer.six is a community maintained fork of the original
| PDFMiner, a tool for extracting information from PDF documents.
| Prior to version 20251107, pdfminer.six will execute arbitrary code
| from a malicious pickle file if provided with a malicious PDF file.
| The `CMapDB._load_data()` function in pdfminer.six uses
| `pickle.loads()` to deserialize pickle files. These pickle files are
| supposed to be part of the pdfminer.six distribution stored in the
| `cmap/` directory, but a malicious PDF can specify an alternative
| directory and filename as long as the filename ends in `.pickle.gz`.
| A malicious, zipped pickle file can then contain code which will
| automatically execute when the PDF is processed. Version 20251107
| fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-64512
https://www.cve.org/CVERecord?id=CVE-2025-64512
[1]
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
[2]
https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pdfminer
Source-Version: 20221105+dfsg-1.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pdfminer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated pdfminer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Nov 2025 22:53:52 +0100
Source: pdfminer
Architecture: source
Version: 20221105+dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1120642
Changes:
pdfminer (20221105+dfsg-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix: arbitary code execution when loading pickle font files
(CVE-2025-64512)
(Closes: #1120642)
Checksums-Sha1:
35a783efe879269bd4bafe582c7980e2bf18cdbc 2508 pdfminer_20221105+dfsg-1.1.dsc
ba3609cf8086e9ffc81be43742cd7e3862d33ccc 12724
pdfminer_20221105+dfsg-1.1.debian.tar.xz
740b552a4bbf1255622838e4daa932a8238e5107 7239
pdfminer_20221105+dfsg-1.1_source.buildinfo
Checksums-Sha256:
5f1cb5fe5fe43700552c7f0d8b84a34bef8ed3097d1d7658260799eb3db28c08 2508
pdfminer_20221105+dfsg-1.1.dsc
f7a40c2cdedfe4dc6d2337aec802f2cdf0d6cb50cb1837d4e6ae4184a9b95c38 12724
pdfminer_20221105+dfsg-1.1.debian.tar.xz
b3a6f659e9cfd03eb5df54c68f4c32cfd85c01c2202ba6f6d759a513ae2512dd 7239
pdfminer_20221105+dfsg-1.1_source.buildinfo
Files:
cd2dfe98939c60dc8bd768e4c18ea2a3 2508 python optional
pdfminer_20221105+dfsg-1.1.dsc
fafa134c6435fefd87bdf5608925f3d5 12724 python optional
pdfminer_20221105+dfsg-1.1.debian.tar.xz
30ec5475fd564faba450b534e014559b 7239 python optional
pdfminer_20221105+dfsg-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmkWVhlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHpcP/2pCHn3tv5GFAjC0yEEVZqkC40+dOwdK
U/9IR0Vqd7bIwStw4ZcmE6Pb5o3ORzfbiaymALYHSxqixlcAdGdc8jxImXZ6n3TI
K4jGeZjKblQ5neK9RK3VJgqeMP2qRY8hPAuR+uLYWpqG5aFAXOV4VFRSzGqtWAtz
w+NhLXbhXyIUaHeyQVnU5qXahbWAPoqKMtYu4t0qdU0wPpC+gfnV/TgVWgHXUuey
BQmMEfEZxIs23UhXrhUsfrSDwPjGHvcYEsRMDMTuFeF2M3yolicrMFX3bAb3dZEa
rqDfWS9uZEATEDQ03j4JInMqvh+TpA6HHOSSNgGw/vZ/pn4ienJLbg6xWTPTyTiB
NyJdeHlD+hSifTMTz3QWKzwimhM9SVqd90HG5HDe09gtteFSgtPjzHLZCtu1hN/9
Q+kgPxR1mElJ4kBuX+HMVseHkuLo+wJ7oT72QA194uxpIdGQOx2q7l9tvDirN1it
7iT7Cf/o2YMY8BswbEnn18WCV/vxf6IB4StfLz8dciXBuejXHLeqwI64ZTz2uMZP
9WMEXllU0NVhrNDMcXYJ/llfjjkMQxNa7FPJQqmyv9GLSsjy++fE2dNG2me8R7pr
049Cz5PhOP+wLO3roEPXSGJVgd7BHYzynwgGKApRtNmiseOEONF+xhmRUmpD5KtU
hwzG2cfd+a4P
=i+vN
-----END PGP SIGNATURE-----
pgp9On6zGM5LT.pgp
Description: PGP signature
--- End Message ---
