Version in base suite: 25.04.2-1

Base version: okular_25.04.2-1
Target version: okular_25.04.2-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/okular/okular_25.04.2-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/okular/okular_25.04.2-1+deb13u1.dsc

 changelog                  |    6 +++
 patches/fax-security.patch |   90 +++++++++++++++++++++++++++++++++++++++++++++
 patches/series             |    1 
 3 files changed, 97 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpl5h46zau/okular_25.04.2-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpl5h46zau/okular_25.04.2-1+deb13u1.dsc: no acceptable signature found
diff -Nru okular-25.04.2/debian/changelog okular-25.04.2/debian/changelog
--- okular-25.04.2/debian/changelog	2025-06-09 21:18:58.000000000 +0000
+++ okular-25.04.2/debian/changelog	2026-06-08 11:52:53.000000000 +0000
@@ -1,3 +1,9 @@
+okular (4:25.04.2-1+deb13u1) trixie-security; urgency=medium
+
+  * Multiple security issues in parsing Fax files
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 08 Jun 2026 13:52:53 +0200
+
 okular (4:25.04.2-1) unstable; urgency=medium
 
   [ Aurélien COUDERC ]
diff -Nru okular-25.04.2/debian/patches/fax-security.patch okular-25.04.2/debian/patches/fax-security.patch
--- okular-25.04.2/debian/patches/fax-security.patch	1970-01-01 00:00:00.000000000 +0000
+++ okular-25.04.2/debian/patches/fax-security.patch	2026-06-08 11:52:53.000000000 +0000
@@ -0,0 +1,90 @@
+From 49cccdec814b2ddb0a403b63994114f09b007a2c Mon Sep 17 00:00:00 2001
+From: George Karagiannidis <gbkaragiannidis@gmail.com>
+Date: Mon, 4 May 2026 23:00:56 +0200
+Subject: [PATCH] fax: Three allocation-related arithmetic operations use
+ attacker-influenced dimensions without overflow checks:
+
+From e5f088674223019fafac26800a2ae0c0d6afc85b Mon Sep 17 00:00:00 2001
+From: George Karagiannidis <gbkaragiannidis@gmail.com>
+Date: Mon, 4 May 2026 22:47:41 +0200
+Subject: [PATCH] fax: The Ghostscript / PC Research fax header handling at
+ line 109 performs
+
+From 466786c354d890e39a3871f80ed686958d2513a2 Mon Sep 17 00:00:00 2001
+From: George Karagiannidis <gbkaragiannidis@gmail.com>
+Date: Mon, 4 May 2026 22:47:23 +0200
+Subject: [PATCH] fax: A zero-byte .g3 file causes getstrip() to allocate a
+ 4-byte buffer
+
+
+--- okular-25.04.2.orig/generators/fax/faxdocument.cpp
++++ okular-25.04.2/generators/fax/faxdocument.cpp
+@@ -55,7 +55,18 @@ static bool new_image(pagenode *pn, int
+     pn->image.setColor(1, qRgb(0, 0, 0));
+     pn->bytes_per_line = pn->image.bytesPerLine();
+     pn->dpi = FAX_DPI_FINE;
+-    pn->imageData = new uchar[width * height];
++
++    if (width <= 0 || height <= 0) {
++        return false;
++    }
++    const size_t alloc_size = static_cast<size_t>(width) * static_cast<size_t>(height);
++    if (alloc_size / width != static_cast<size_t>(height)) {
++        return false;
++    }
++    if (alloc_size > 256 * 1024 * 1024) {
++        return false;
++    }
++    pn->imageData = new uchar[alloc_size];
+ 
+     return !pn->image.isNull();
+ }
+@@ -88,6 +99,10 @@ static unsigned char *getstrip(pagenode
+         return nullptr;
+     }
+ 
++    if (pn->length == 0) {
++        return nullptr;
++    }
++
+     /* round size to full boundary plus t32bits */
+     roundup = (pn->length + 7) & ~3;
+ 
+@@ -106,7 +121,7 @@ static unsigned char *getstrip(pagenode
+ 
+     pn->data = reinterpret_cast<t16bits *>(data);
+ 
+-    if (pn->strips == nullptr && memcmp(data, FAXMAGIC, sizeof(FAXMAGIC) - 1) == 0) {
++    if (pn->strips == nullptr && pn->length >= 64 && memcmp(data, FAXMAGIC, sizeof(FAXMAGIC) - 1) == 0) {
+         /* handle ghostscript / PC Research fax file */
+         pn->length -= 64;
+         pn->vres = data[29];
+@@ -116,7 +131,11 @@ static unsigned char *getstrip(pagenode
+ 
+     normalize(pn, !pn->lsbfirst, ShortOrder, roundup);
+     if (pn->size.height() == 0) {
+-        pn->size.setHeight(G3count(pn, pn->expander == g32expand));
++        int h = G3count(pn, pn->expander == g32expand);
++        if (h > 65536) {
++            h = 0;
++        }
++        pn->size.setHeight(h);
+     }
+ 
+     if (pn->size.height() == 0) {
+@@ -270,7 +289,14 @@ bool FaxDocument::load()
+     int height = d->mPageNode.size.height();
+     int bytes_per_line = d->mPageNode.size.width() / 8;
+ 
+-    QByteArray bytes(height * bytes_per_line, 0);
++    if (height <= 0 || bytes_per_line <= 0) {
++        return false;
++    }
++    const qint64 total = static_cast<qint64>(height) * static_cast<qint64>(bytes_per_line);
++    if (total > 256 * 1024 * 1024) {
++        return false;
++    }
++    QByteArray bytes(static_cast<int>(total), 0);
+     for (int y = height - 1; y >= 0; --y) {
+         quint32 offset = y * bytes_per_line;
+         quint32 *source = reinterpret_cast<quint32 *>(d->mPageNode.imageData + offset);
diff -Nru okular-25.04.2/debian/patches/series okular-25.04.2/debian/patches/series
--- okular-25.04.2/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ okular-25.04.2/debian/patches/series	2026-06-08 11:52:53.000000000 +0000
@@ -0,0 +1 @@
+fax-security.patch