Version in base suite: 11.1.0-5+deb13u2 Version in overlay suite: 11.1.0-5+deb13u3 Base version: pillow_11.1.0-5+deb13u3 Target version: pillow_11.1.0-5+deb13u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pillow/pillow_11.1.0-5+deb13u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pillow/pillow_11.1.0-5+deb13u4.dsc changelog | 6 ++++++ patches/CVE-2026-42310-fixup.patch | 25 +++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 32 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp0zr3m8fh/pillow_11.1.0-5+deb13u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp0zr3m8fh/pillow_11.1.0-5+deb13u4.dsc: no acceptable signature found diff -Nru pillow-11.1.0/debian/changelog pillow-11.1.0/debian/changelog --- pillow-11.1.0/debian/changelog 2026-06-19 18:11:46.000000000 +0000 +++ pillow-11.1.0/debian/changelog 2026-07-03 10:06:00.000000000 +0000 @@ -1,3 +1,9 @@ +pillow (11.1.0-5+deb13u4) trixie; urgency=medium + + * Followup fix for CVE-2026-42310 (Closes: #1141330) + + -- Moritz Mühlenhoff Fri, 03 Jul 2026 22:03:44 +0200 + pillow (11.1.0-5+deb13u3) trixie-security; urgency=medium * CVE-2026-42308 diff -Nru pillow-11.1.0/debian/patches/CVE-2026-42310-fixup.patch pillow-11.1.0/debian/patches/CVE-2026-42310-fixup.patch --- pillow-11.1.0/debian/patches/CVE-2026-42310-fixup.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-11.1.0/debian/patches/CVE-2026-42310-fixup.patch 2026-07-03 10:07:44.000000000 +0000 @@ -0,0 +1,25 @@ +From 78ee80a6fdd4b787f71880f10e66d6b989c6e58d Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Wed, 13 May 2026 11:14:41 +0200 +Subject: [PATCH] PdfParser: Don't use list as def in read_prev_trailer + +--- pillow-11.1.0.orig/src/PIL/PdfParser.py ++++ pillow-11.1.0/src/PIL/PdfParser.py +@@ -684,7 +684,7 @@ class PdfParser: + self.read_prev_trailer(self.trailer_dict[b"Prev"]) + + def read_prev_trailer( +- self, xref_section_offset: int, processed_offsets: list[int] = [] ++ self, xref_section_offset: int, processed_offsets: list[int] = None + ) -> None: + assert self.buf is not None + trailer_offset = self.read_xref_table(xref_section_offset=xref_section_offset) +@@ -700,6 +700,8 @@ class PdfParser: + ) + trailer_dict = self.interpret_trailer(trailer_data) + if b"Prev" in trailer_dict: ++ if processed_offsets is None: ++ processed_offsets = [] + processed_offsets.append(xref_section_offset) + check_format_condition( + trailer_dict[b"Prev"] not in processed_offsets, "trailer loop found" diff -Nru pillow-11.1.0/debian/patches/series pillow-11.1.0/debian/patches/series --- pillow-11.1.0/debian/patches/series 2026-06-19 16:03:34.000000000 +0000 +++ pillow-11.1.0/debian/patches/series 2026-07-03 10:06:59.000000000 +0000 @@ -10,3 +10,4 @@ CVE-2026-42308.patch CVE-2026-42310.patch CVE-2026-42311.patch +CVE-2026-42310-fixup.patch