Version in base suite: 25.03.0-5+deb13u2 Version in overlay suite: 25.03.0-5+deb13u3 Base version: poppler_25.03.0-5+deb13u3 Target version: poppler_25.03.0-5+deb13u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/poppler/poppler_25.03.0-5+deb13u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/poppler/poppler_25.03.0-5+deb13u4.dsc changelog | 10 ++++++++++ patches/malformed-moddate.patch | 28 ++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 39 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2e874rn5/poppler_25.03.0-5+deb13u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2e874rn5/poppler_25.03.0-5+deb13u4.dsc: no acceptable signature found diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog --- poppler-25.03.0/debian/changelog 2026-06-06 09:07:43.000000000 +0000 +++ poppler-25.03.0/debian/changelog 2026-07-02 16:52:33.000000000 +0000 @@ -1,3 +1,13 @@ +poppler (25.03.0-5+deb13u4) trixie; urgency=medium + + * Team upload + * Fix creation of ill-formed PDF document signatures (Poppler issue #1596) + - fixes "Invalid signature time when signing a PDF" (Closes: #1127146) + Signatures made with previous versions of Poppler may not be recognized + by other applications as valid. + + -- John Scott Thu, 02 Jul 2026 16:52:33 +0000 + poppler (25.03.0-5+deb13u3) trixie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru poppler-25.03.0/debian/patches/malformed-moddate.patch poppler-25.03.0/debian/patches/malformed-moddate.patch --- poppler-25.03.0/debian/patches/malformed-moddate.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-25.03.0/debian/patches/malformed-moddate.patch 2026-07-02 16:52:33.000000000 +0000 @@ -0,0 +1,28 @@ +Description: DateInfo: Fix timeToStringWithFormat buffer length + strftime places a NULL-terminated string in the buffer, so the std::string + buffer needs to be resized to not include the terminator character + (or anything after it). + . + Without this fix, modification dates in altered PDF documents (such as when + adding a digital signature) are not truncated properly, instead padding + the date with a null byte and extra spaces until the end of the buffer is + reached. This bad syntax compromises the ability to verify the signature + with other applications, but the Poppler signatory has no indication of this. +Origin: upstream, https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch +Applied-Upstream: 25.06.0, https://gitlab.freedesktop.org/poppler/poppler/-/commit/55169105e121d5fbb7c50e2c744d750de5d0a7de +Author: Erich E. Hoover +Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596 +Bug-Debian: https://bugs.debian.org/1127146 +Reviewed-By: John Scott +Last-Update: 2026-07-01 + +--- poppler-25.03.0.orig/poppler/DateInfo.cc ++++ poppler-25.03.0/poppler/DateInfo.cc +@@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const + while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) { + buf.resize(bufLen *= 2); + } ++ buf.resize(buf.find('\0')); + return buf; + } + diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series --- poppler-25.03.0/debian/patches/series 2026-06-06 09:06:52.000000000 +0000 +++ poppler-25.03.0/debian/patches/series 2026-07-02 16:52:33.000000000 +0000 @@ -6,3 +6,4 @@ SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch Check-for-duplicate-entries.patch +malformed-moddate.patch