[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1054119: marked as done (bookworm-pu: package qpdf/11.3.0-1)

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054119,
regarding bookworm-pu: package qpdf/11.3.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1054119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054119
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
X-Debbugs-CC: qjb@debian.org

The attached patch to qpdf 11.3.0 fixes a bug that could potentially
result in loss of data. I'd like permission from the release team to
upload this to stable. I've been a debian developer since 2005, but
it's been years since I've last prepared a release to the stable
distribution. As far as I can tell, the current procedure is to upload
with the target distribution as "stable" and upload to ftp-master.
This will direct the package the proposed-updates queue. Is this
correct?

The nature of the bug is that, if a quoted octal character with one or
two digits instead of three digits appears in the file, the following
character will be dropped from the string. This bug snuck in in a pull
request I accepted that performed significant performance optimization
on the tokenizer. Because it only affects strings in metadata when
qpdf is used in its default configuration, and because such quoted
characters of this type don't appear very often, it's somewhat of a
corner case, but I think the bug is critical to fix because there is a
chance that it could silently damage files in ways that would be hard
to detect.

Please let me know if I should proceed with an update to stable.

--Jay Berkenbilt (a.k.a. qjb@debian.org)
--- libqpdf/QPDFTokenizer.cc.orig	2023-10-17 07:19:31.829119946 -0400
+++ libqpdf/QPDFTokenizer.cc	2023-10-17 07:20:55.689510562 -0400
@@ -739,17 +739,22 @@
 void
 QPDFTokenizer::inCharCode(char ch)
 {
+    bool handled = false;
     if (('0' <= ch) && (ch <= '7')) {
         this->char_code = 8 * this->char_code + (int(ch) - int('0'));
         if (++(this->digit_count) < 3) {
             return;
         }
-        // We've accumulated \ddd.  PDF Spec says to ignore
-        // high-order overflow.
+        handled = true;
     }
+    // We've accumulated \ddd or we have \d or \dd followed by other
+    // than an octal digit. The PDF Spec says to ignore high-order
+    // overflow.
     this->val += char(this->char_code % 256);
     this->state = st_in_string;
-    return;
+    if (!handled) {
+        inString(ch);
+    }
 }
 
 void

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: