Control: tags -1 + moreinfo Hi,
On Mon, Mar 23, 2026 at 12:08:33AM +0100, Bastian Germann wrote: > And now with attachment. > diff -Nru pymupdf-1.25.4+ds1/debian/changelog > pymupdf-1.25.4+ds1/debian/changelog > --- pymupdf-1.25.4+ds1/debian/changelog 2025-04-23 13:08:38.000000000 > +0200 > +++ pymupdf-1.25.4+ds1/debian/changelog 2026-03-22 23:52:49.000000000 > +0100 > @@ -1,3 +1,13 @@ > +pymupdf (1.25.4+ds1-3~bpo13+1) trixie-backports; urgency=medium > + > + * Rebuild for trixie-backports > + * Backport upstream fix for CVE-2026-3029: > + Improved safety of `pymupdf embed-extract`. This now refuses to write to > + an existing file or outside current directory, unless `-output` or new > flag > + `-unsafe` is specified. > + > + -- Bastian Germann <[email protected]> Sun, 22 Mar 2026 23:52:49 +0100 TBH, I'm bit confused what you are trying to achieve? CVE-2026-3029 is yet unfixed in trixie and bookworm, and the above version is a trixie-backports version. From the debdiff you are picking a commit to address CVE-2026-3029 on top of 1.25.4+ds1-3 and you would like to fix the issue in trixie via a the next point release. So the versioning should rather be: 1.25.4+ds1-3+deb13u1. Regards, Salvatore
