Version in base suite: 20221105+dfsg-1 Base version: pdfminer_20221105+dfsg-1 Target version: pdfminer_20221105+dfsg-1.1~deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pdfminer/pdfminer_20221105+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pdfminer/pdfminer_20221105+dfsg-1.1~deb13u1.dsc changelog | 15 +++ patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch | 38 ++++++++++ patches/series | 1 3 files changed, 54 insertions(+) diff -Nru pdfminer-20221105+dfsg/debian/changelog pdfminer-20221105+dfsg/debian/changelog --- pdfminer-20221105+dfsg/debian/changelog 2022-12-17 16:51:39.000000000 +0000 +++ pdfminer-20221105+dfsg/debian/changelog 2025-11-22 16:21:56.000000000 +0000 @@ -1,3 +1,18 @@ +pdfminer (20221105+dfsg-1.1~deb13u1) trixie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Rebuild for trixie-security + + -- Salvatore Bonaccorso Sat, 22 Nov 2025 17:21:56 +0100 + +pdfminer (20221105+dfsg-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix: arbitary code execution when loading pickle font files (CVE-2025-64512) + (Closes: #1120642) + + -- Salvatore Bonaccorso Thu, 13 Nov 2025 22:53:52 +0100 + pdfminer (20221105+dfsg-1) unstable; urgency=medium * New upstream version 20221105. diff -Nru pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch --- pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdfminer-20221105+dfsg/debian/patches/0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch 2025-11-22 16:21:49.000000000 +0000 @@ -0,0 +1,38 @@ +From: Scott Tolley +Date: Fri, 7 Nov 2025 20:47:46 +0100 +Subject: Fix: arbitary code execution when loading pickle font files +Origin: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 +Bug-Debian: https://bugs.debian.org/1120642 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-64512 + +Fixes https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp + +Fixes https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc +--- + pdfminer/cmapdb.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/pdfminer/cmapdb.py b/pdfminer/cmapdb.py +index 87d9870e024d..b3c7f2b018d4 100644 +--- a/pdfminer/cmapdb.py ++++ b/pdfminer/cmapdb.py +@@ -240,8 +240,14 @@ class CMapDB: + ) + for directory in cmap_paths: + path = os.path.join(directory, filename) +- if os.path.exists(path): +- gzfile = gzip.open(path) ++ # Resolve paths to prevent directory traversal ++ resolved_path = os.path.realpath(path) ++ resolved_directory = os.path.realpath(directory) ++ # Check if resolved path is within the intended directory ++ if not resolved_path.startswith(resolved_directory + os.sep): ++ continue ++ if os.path.exists(resolved_path): ++ gzfile = gzip.open(resolved_path) + try: + return type(str(name), (), pickle.loads(gzfile.read())) + finally: +-- +2.51.0 + diff -Nru pdfminer-20221105+dfsg/debian/patches/series pdfminer-20221105+dfsg/debian/patches/series --- pdfminer-20221105+dfsg/debian/patches/series 2022-12-17 16:51:39.000000000 +0000 +++ pdfminer-20221105+dfsg/debian/patches/series 2025-11-22 16:21:49.000000000 +0000 @@ -1,2 +1,3 @@ 0001-Update-patch-use-Python3.patch 0002-Avoid-timestamps-in-gzip-compressed-file-and-use-com.patch +0003-Fix-arbitary-code-execution-when-loading-pickle-font.patch