Your message dated Sat, 13 Jun 2026 14:36:10 +0000
with message-id <[email protected]>
and subject line Bug#1139004: fixed in okular 4:26.04.2-1
has caused the Debian Bug report #1139004,
regarding okular: heap out-of-bounds write in fax backend on zero-length input
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139004
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: okular
Version: 4:26.04.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
>From https://kde.org/info/security/advisory-20260511-1.txt:
KDE Project Security Advisory
=============================
Title: Okular: heap out-of-bounds write in fax backend on zero-length
input
Risk Rating: High
CVE: PENDING
Versions: Okular <= 26.04.0
Author: George Karagiannidis
Date: 11 May 2026
Overview
========
Okular is a universal document viewer. The fax backend in
generators/fax/faxdocument.cpp does not validate zero-length input before
writing two sentinel values into a freshly allocated heap buffer, resulting
in a heap out-of-bounds write before the start of the allocation.
Impact
======
Opening a crafted fax file triggers a heap out-of-bounds write in the
fax parser. This may lead to memory corruption depending on allocator
behavior and heap layout.
Workaround
==========
Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds.
Solution
========
Update Okular >= 26.04.1 or apply
https://commits.kde.org/okular/466786c354d890e39a3871f80ed686958d2513a2
Credits
=======
Thanks to George Karagiannidis from TwelveSec for reporting this issue.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: okular
Source-Version: 4:26.04.2-1
Done: Aurélien COUDERC <[email protected]>
We believe that the bug you reported is fixed in the latest version of
okular, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurélien COUDERC <[email protected]> (supplier of updated okular package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Jun 2026 13:42:28 +0200
Source: okular
Architecture: source
Version: 4:26.04.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <[email protected]>
Changed-By: Aurélien COUDERC <[email protected]>
Closes: 1139004 1139005 1139007 1139008 1139009
Changes:
okular (4:26.04.2-1) unstable; urgency=medium
.
[ Aurélien COUDERC ]
* New upstream release (26.04.2). (Closes: #1139004, #1139005, #1139007,
#1139008, #1139009)
Checksums-Sha1:
6ed192e353ea42027c26ad04674eb976ef7c76ef 4120 okular_26.04.2-1.dsc
a0274805dac6e0b2a38410f537d1bd3b12240859 8237996 okular_26.04.2.orig.tar.xz
97fe7bd41546fe64e97ec86ec2ae15bd5284d4bc 833 okular_26.04.2.orig.tar.xz.asc
bff7327fd3ff47949a05d4ad240280585fc226be 36952 okular_26.04.2-1.debian.tar.xz
201c529ff13afe4e3e812b94a100f6de31afc757 34627
okular_26.04.2-1_source.buildinfo
Checksums-Sha256:
246c8e1d784b1a1043c1abde3f51e32715a5f38f590d1bc696206c6ff192ad43 4120
okular_26.04.2-1.dsc
d51cc5be96f6e491181608b0115af37d20ee15b080b6e42c0c00e29b9e058abe 8237996
okular_26.04.2.orig.tar.xz
40e995f981a90f97c5f7c727c095ae58c7dea869fb1158587c9871b090e604a4 833
okular_26.04.2.orig.tar.xz.asc
1db0e4138fdefed66eb8eb3b837537a46279e6cbb95d88b7094396e255f8dcd7 36952
okular_26.04.2-1.debian.tar.xz
963797b00ca7405c3b7f0e901b06ea782b6993cf210ae189532e3133d9ab5cd2 34627
okular_26.04.2-1_source.buildinfo
Files:
367b945174209f0c01b8bf994bf899c6 4120 kde optional okular_26.04.2-1.dsc
b3d85a8aaa28ceb6cbe817dbe90152bb 8237996 kde optional
okular_26.04.2.orig.tar.xz
0c9d645c258c4145762414b4a5a99280 833 kde optional
okular_26.04.2.orig.tar.xz.asc
a747379e4e4d56bb529adcb5b5f1ffa8 36952 kde optional
okular_26.04.2-1.debian.tar.xz
b92d475978878101c4c74d84fcb678b8 34627 kde optional
okular_26.04.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqLWNpCRBxp+Uz8pGjJEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeJ8dyntMFJDevyQVVn2MM4u6UGsECtEOh/HQtPgtln
5RYhBCFv/0AAGg4HDig7H3Gn5TPykaMkAAAlKhAAo+TGh4/XGkTUmXAHPuro8CWS
/s1j6yJS0YUp8Dm5klDh9fYcj16E6DcGbHs8tnt96jDx1vspqqVCpi8QWdOmDlCP
zEq1sjjKEafAi6XFfsSf5pLY9vQuWU19aQYc/gfb2hAiTNMzdyhVgwOfkEsvB276
01rcI6L3hbWQbn1UusS15Fudo1Sf200+5tZMprODxo4zzgVYOMDReiSRPJmC0ObK
/nxVoJ6NL5Qcq9ZgayI3UsIwU3JkwRlbYFjz1/7kT5eey3LDWlb6T94RYr5a+O97
bEGS311zn5zGIjL1fTwJtypLrYH65hrK92OtNNj+KhV6OugOwv3bGBrm3v91vbOw
1umlOA8o0BtXBYXZrsVgCEpS46UUAAcDmRFtZjJ7UxrwaQDORK8eKK2Y/360wAhZ
MCgbwBjpwm44REhGZdK8zDtF0jB3G64R+xJhZqJBfi0pDmswFIWqfp02tB92toKF
Owdixx5wAwacuD3RrVSegFjX+9frOIRKwnVtk/V6DfdNIh2mQJVeHJJB28WrEbFf
ha7M9ZYM/m4vKrdBPMEzWQvDkKMUwcNjW/cAyMqbGfaJmM/Ll9SfYYBxQvmJTdSs
GSa+LfEqMl0j5PG8emmq7mZwsAboLwuXDzroSAaEC1XPfECM18ghPW1M9nm41K2v
dx3HgTFp6aYq/ieVvys=
=7HrD
-----END PGP SIGNATURE-----
pgp8cnm4wURPP.pgp
Description: PGP signature
--- End Message ---
