Package: qpdf Version: 11.3.0-1 Severity: important Tags: upstream X-Debbugs-Cc: q...@debian.org
Note: I am the upstream author and debian maintainer for qpdf. Upstream bug https://github.com/qpdf/qpdf/issues/1050 revealed a bug in qpdf's lexical layer that would cause qpdf to discard the character in a binary string following an octal quoted character with 1 or 2 digits. The PDF spec allows octal digits to be \d, \dd, or \ddd, and allows the first two forms if the next character is other than an octal digit. Most PDF writers never use the \d or \dd forms, but some do. With default options, qpdf does not parse or alter strings inside content streams, so this bug is not likely to affect page content. However, binary strings of this sort are common in the document /ID and may also appear in metadata for encrypted files. In some cases, such as the file in #1050, this bug can cause error, in this case, because the discarded character was the string end delimiter. In most case, this bug results in silent data loss. The fix is very small and locally contained. The upstream fix includes several new test cases, but the patch I will include to fix the issue only includes the relevant code change. I am not attaching a patch to the bug report because I am the package maintainer and intend to immediately follow this with a fix targeted to bookworm. Please note: I am composing this bug from a system running Ubuntu 23.04 I have edited the package version in the bug pseudo-headers, but the system information below pertains to the system I am running reportbug from, which is not the system that is broken. -- System Information: Debian Release: bookworm/sid APT prefers lunar-updates APT policy: (500, 'lunar-updates'), (500, 'lunar-security'), (500, 'lunar'), (100, 'lunar-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.2.0-34-generic (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages qpdf depends on: ii libc6 2.37-0ubuntu2.1 ii libgcc-s1 13.1.0-2ubuntu2~23.04 ii libqpdf29 11.6.3-1~bpo23.04.1~ppa1 ii libstdc++6 13.1.0-2ubuntu2~23.04 qpdf recommends no packages. qpdf suggests no packages. -- no debconf information