Your message dated Sat, 09 Dec 2023 10:20:37 +0000 with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 12.3 point release has caused the Debian Bug report #1054119, regarding bookworm-pu: package qpdf/11.3.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1054119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054119 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: data loss patch for qpdf targeted at stable (11.3.0)
- From: "Jay Berkenbilt" <ejb@ql.org>
- Date: Tue, 17 Oct 2023 07:32:06 -0400
- Message-id: <a0cb6bd5-95df-4a1e-85c4-6a9ce59a6e6e@app.fastmail.com>
Package: release.debian.org X-Debbugs-CC: qjb@debian.org The attached patch to qpdf 11.3.0 fixes a bug that could potentially result in loss of data. I'd like permission from the release team to upload this to stable. I've been a debian developer since 2005, but it's been years since I've last prepared a release to the stable distribution. As far as I can tell, the current procedure is to upload with the target distribution as "stable" and upload to ftp-master. This will direct the package the proposed-updates queue. Is this correct? The nature of the bug is that, if a quoted octal character with one or two digits instead of three digits appears in the file, the following character will be dropped from the string. This bug snuck in in a pull request I accepted that performed significant performance optimization on the tokenizer. Because it only affects strings in metadata when qpdf is used in its default configuration, and because such quoted characters of this type don't appear very often, it's somewhat of a corner case, but I think the bug is critical to fix because there is a chance that it could silently damage files in ways that would be hard to detect. Please let me know if I should proceed with an update to stable. --Jay Berkenbilt (a.k.a. qjb@debian.org)--- libqpdf/QPDFTokenizer.cc.orig 2023-10-17 07:19:31.829119946 -0400 +++ libqpdf/QPDFTokenizer.cc 2023-10-17 07:20:55.689510562 -0400 @@ -739,17 +739,22 @@ void QPDFTokenizer::inCharCode(char ch) { + bool handled = false; if (('0' <= ch) && (ch <= '7')) { this->char_code = 8 * this->char_code + (int(ch) - int('0')); if (++(this->digit_count) < 3) { return; } - // We've accumulated \ddd. PDF Spec says to ignore - // high-order overflow. + handled = true; } + // We've accumulated \ddd or we have \d or \dd followed by other + // than an octal digit. The PDF Spec says to ignore high-order + // overflow. this->val += char(this->char_code % 256); this->state = st_in_string; - return; + if (!handled) { + inString(ch); + } } void
--- End Message ---
--- Begin Message ---
- To: 1040860-done@bugs.debian.org, 1050384-done@bugs.debian.org, 1050868-done@bugs.debian.org, 1052227-done@bugs.debian.org, 1052229-done@bugs.debian.org, 1053141-done@bugs.debian.org, 1053461-done@bugs.debian.org, 1053532-done@bugs.debian.org, 1053681-done@bugs.debian.org, 1053895-done@bugs.debian.org, 1053908-done@bugs.debian.org, 1053918-done@bugs.debian.org, 1054096-done@bugs.debian.org, 1054100-done@bugs.debian.org, 1054119-done@bugs.debian.org, 1054122-done@bugs.debian.org, 1054286-done@bugs.debian.org, 1054287-done@bugs.debian.org, 1054340-done@bugs.debian.org, 1054363-done@bugs.debian.org, 1054401-done@bugs.debian.org, 1054421-done@bugs.debian.org, 1054442-done@bugs.debian.org, 1054470-done@bugs.debian.org, 1054589-done@bugs.debian.org, 1055009-done@bugs.debian.org, 1055031-done@bugs.debian.org, 1055086-done@bugs.debian.org, 1055155-done@bugs.debian.org, 1055226-done@bugs.debian.org, 1055229-done@bugs.debian.org, 1055241-done@bugs.debian.org, 1055350-done@bugs.debian.org, 1055419-done@bugs.debian.org, 1055539-done@bugs.debian.org, 1055588-done@bugs.debian.org, 1055611-done@bugs.debian.org, 1055859-done@bugs.debian.org, 1055894-done@bugs.debian.org, 1055944-done@bugs.debian.org, 1055965-done@bugs.debian.org, 1055986-done@bugs.debian.org, 1056006-done@bugs.debian.org, 1056136-done@bugs.debian.org, 1056158-done@bugs.debian.org, 1056164-done@bugs.debian.org, 1056169-done@bugs.debian.org, 1056194-done@bugs.debian.org, 1056228-done@bugs.debian.org, 1056252-done@bugs.debian.org, 1056307-done@bugs.debian.org, 1056318-done@bugs.debian.org, 1056330-done@bugs.debian.org, 1056521-done@bugs.debian.org, 1056696-done@bugs.debian.org, 1056716-done@bugs.debian.org, 1056721-done@bugs.debian.org, 1056732-done@bugs.debian.org, 1056737-done@bugs.debian.org, 1056741-done@bugs.debian.org, 1056744-done@bugs.debian.org, 1056917-done@bugs.debian.org, 1056934-done@bugs.debian.org, 1056958-done@bugs.debian.org, 1056987-done@bugs.debian.org, 1057038-done@bugs.debian.org, 1057069-done@bugs.debian.org, 1057070-done@bugs.debian.org, 1057071-done@bugs.debian.org, 1057099-done@bugs.debian.org, 1057103-done@bugs.debian.org, 1057116-done@bugs.debian.org, 1057125-done@bugs.debian.org, 1057128-done@bugs.debian.org, 1057129-done@bugs.debian.org, 1057156-done@bugs.debian.org, 1057157-done@bugs.debian.org, 1057159-done@bugs.debian.org, 1057236-done@bugs.debian.org, 1057239-done@bugs.debian.org, 1057274-done@bugs.debian.org, 1057300-done@bugs.debian.org, 1057310-done@bugs.debian.org, 1057311-done@bugs.debian.org, 1057325-done@bugs.debian.org, 1057327-done@bugs.debian.org
- Subject: Closing requests for updates included in 12.3 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Dec 2023 10:20:37 +0000
- Message-id: <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 12.3 Hi, Each of the updates discussed in these requests was included in this morning's 12.3 bookworm point release. Regards, Adam
--- End Message ---