On Tue, Oct 17, 2023, at 12:15 PM, Adam D. Barratt wrote: > # bcc control@bugs.d.o > user release.debian....@packages.debian.org > usertags 1054119 pu > tags 1054119 bookworm moreinfo > retitle 1054119 bookworm-pu: package qpdf/11.3.0-1 > thanks
Thanks for fixing the tags. I'll reply to this instead of starting over. > On Tue, 2023-10-17 at 07:32 -0400, Jay Berkenbilt wrote: > > The attached patch to qpdf 11.3.0 fixes a bug that could potentially > > result in loss of data. I'd like permission from the release team to > > . . . > > > > Close, but a few rough edges. :-) > Ah, thanks for helping me get past my brain rot. When I used to maintain several packages, including tiff and icu, which had lots of security updates, I was much more familiar with this. It's funny how we can forget something so thoroughly that we can forget we knew it at one time. The doc reference was perfect and jogged my memory. > As noted in the dev-ref section, please use "reportbug > release.debian.org" for p-u requests, or set equivalent metadata. That > helps ensure that the request ends up in the correct section of our BTS > web view, where uncategorised bugs may get overlooked for some time. > I've fixed up the relevant bits for this request (see the start of my > reply). Thanks for fixing it up. Rather than starting over, I am replying with the information from reportbug. I'll let you remove the moreinfo tag assuming I have provided enough information. ---------- [ Reason ] Between qpdf 10.6.3 and 11.0.0, a contributor did substantial refactoring and performance optimizations on qpdf, ultimately achieving better than a 2x performance boost. In spite of careful testing and review, a bug to the lexical layer of qpdf snuck in. From the changelog: Fix data loss bug introduced in 11.0.0 and fixed in 11.6.3. The bug causes the qpdf tokenizer to discard the character after a one-digit or two-digit quoted octal string. Most writers don't create these, and they are rare outside of content streams. By default, qpdf doesn't parse content streams. The most common place for this to occur would be in a document's /ID string, but in the worst case, this bug could cause silent damage to some strings in a PDF file's metadata, such as bookmark names or form field values. The fix is in upstream version 11.6.3 which has been uploaded to unstable and has migrated to testing. Given that this bug can cause potential data loss, updating stable is warranted. The version in oldstable is not affected by this bug. [ Impact ] In rare cases, qpdf may silently corrupt data in the user's PDF file. [ Tests ] The commit that includes the fix: https://github.com/qpdf/qpdf/commit/1ecc6bb29e24a4f89470ff91b2682b46e0576ad4 includes a number of new automated tests to specifically exercise this bug. (I have not included the additional automated tests in the patch.) Additionally, the user who reported the original upstream bug: https://github.com/qpdf/qpdf/issues/1050 has confirmed that the issue is fixed. I also verified with the user's file. [ Risks ] This is a very low-risk patch. The fix is small and targeted. qpdf has a rigorous test suite and a very good track record for stability. A bug of this sort is a very rare event. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The character following the short octal quoted character was used to cause a state transition in the tokenizer but not reprocessed in the new state. The bug fixes this. Prior to refactoring, the code did not suffer from this logic error because a different mechanism was used to re-process a character used in a state transition. [ Other info ] Note: I am the upstream author of qpdf as well as the debian maintainer of the package. The user who submitted the pull request that contained this bug is a reliable and steady contributor to qpdf who has made great improvements to the code base. Heavy refactoring carries risks. qpdf processes millions of pages a day in commercial and open source applications. It is very important to get this fix out to avoid silent and hard-to-detect damage to PDF files.
qpdf_11.30.0-1--11.30.0-1+deb12u1.debdiff
Description: Binary data
