Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:poppler
Control: severity 1127146 important
Control: block 1127146 by -1
User: [email protected]
Usertags: pu

NOTE: I am not a maintainer for this package but have taken responsibility for 
fixing this problem with their permission: https://bugs.debian.org/1127146#19
My changes are staged at 
https://salsa.debian.org/freedesktop-team/poppler/-/merge_requests/21 and a 
maintainer will upload this subject to your approval.

[ Reason ]
Currently this bug only affects Poppler in Trixie: earlier releases as well as 
Forky are unaffected.
Poppler is a PDF library that, among other features, facilitates the creation 
and verification of digital signatures on PDF documents using X.509 
certificates. A command-line utility, pdfsig, makes this available to users. A 
couple graphical programs like KDE's Okular and GNOME's Papers also make this 
available to users. This is a feature of the PDF format as defined by 
international standards, and it's supposed to be interoperable with other 
conforming applications. Users may digitally sign contracts or other important 
documents, for example. Other folks using different PDF viewers can then 
validate the signatures using public key infrastructure to get "proof" that a 
document is authentic, or that some terms were witnessed or agreed to. These 
signatures can be validated at least as long as the signing certificate remains 
valid—usually for at least one year, and often longer. Signatures are also 
useful for important and widely-shared documents like official announcements.

Code to generate specially-formatted date strings for PDF metadata was cleaned 
up, switching from C-style string handling to C++-style string handling in 
versions 24.03.0 and later. A mistake has been discovered in this [1] which 
causes the terminating null byte of the string, as well as space characters to 
the end of the buffer, to be considered "part of" the date string. This means 
that instead of a modification time like "/M (D:20260629153055-04'00')" being 
inserted into PDF object metadata, it instead looks like "/M 
(D:20260629153055-04'00'X                          )", where 'X' is a 
placeholder for an actual null byte in what's supposed to be a text field. This 
is wrong and can confuse other applications.
Poppler is mainly a library for PDF *viewing* and seldom alters these files, so 
it only creates PDF objects (ones needing such dates to be generated) in a 
couple very specific circumstances, mainly adding PDF annotations or digital 
signatures. This, as well as Poppler's tolerance of such malformed strings, 
allowed the bug to hide for a little while. Practically the problems show as 
soon as one starts sharing documents signed with Poppler. Other applications, 
including the major proprietary ones, are seldom able to verify these 
signatures. Debian users using free software only can be blissfully unaware of 
this problem, which may only become evident when a signature needs to be 
verified by someone else for some important purpose.

The upstream project does assert that distros have a responsibility to 
incorporate the fix for this issue [2]; user frustration has been actually 
observed when the problem is noticed well after the time that the document was 
originally signed. Timely communication of this issue has been difficult and 
their release practices don't align well with Debian's needs. Release cadence 
is fast and there are no long-term branches maintained. It's not perfect for 
us, but we'll make do—and serious but non-security issues like this seem to be 
rare, fortunately.

[ Impact ]
Without the fix, users may continue signing PDF documents blissfully unaware 
that they are, actually, invalid (as Poppler successfully validates its own 
mangled signatures). These documents may not be able to have their signatures 
validated when the time is necessary, or show errors in other widely-used 
viewer applications.

[ Tests ]
Despite my attempts, I've not been able to make a DEP-8 test for this 
particular issue, not using the tools in Trixie anyway. Except for LibreOffice 
(which is apparently tolerant of the botched signatures), there isn't any other 
straightforward and reliable tooling for checking PDF signatures. Therefore the 
tests for this issue have been manual: I've used tools like 'mutool', 'qpdf', 
and 'strings' to inspect the contents of signed documents with and without this 
patch and can see that the problem is solved. I tried a couple web services 
that allow uploading a document to check its signatures, and although one 
didn't object to the malformed document, another did, but the documents created 
with the patched Poppler are considered valid in any case.
Poppler does have a procedure for regression testing but those tests are in a 
separate repository at https://gitlab.freedesktop.org/poppler/test and we do 
not perform this in Debian. I assume this is because the sources for many of 
those files are unavailable, and I don't think they intend for those tests to 
be run by typical downstream packagers. (Note to self: this might be a good use 
case for Salsa CI, as that will allow running tests not present in the Poppler 
source package.) Because I'm not the package maintainer and a change here would 
be invasive in any case, certainly for a stable release, this shall not impede 
this update in Trixie.

[ Risks ]
The risks seem to be low. The code change is trivial, has been in upstream 
releases for about a year, and also cherry-picked by other distros like Fedora 
[3] into their stable releases when necessary. The upstream bug has a very 
detailed analysis of how the problem was introduced and why it was able to go 
unnoticed for a period of time. No alternative means to fix the problem exist.

[ Checklist ]
  ☑ *all* changes are documented in the d/changelog
  ☑ I reviewed all changes and I approve them (EXCEPT the maintainers of this 
package haven't reviewed the change yet at this writing)
  ☑ attach debdiff against the package in (old)stable
  ☑ the issue is verified as fixed in unstable

[ Changes ]
Full debdiff is attached, but the sole change is to incorporate an upstream 
patch [4] doing the following:
--- a/poppler/DateInfo.cc
+++ b/poppler/DateInfo.cc
@@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const time_t *timeA, 
const char *format)
     while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) {
         buf.resize(bufLen *= 2);
     }
+    buf.resize(buf.find('\0'));
     return buf;
 }
By resizing the buffer to match the actual length of the intended string, the 
gunk in the rest of the buffer is truncated off.

[1] 
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596#note_2921375
[2] 
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1611#note_3319757
[3] 
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1611#note_3113414
[4] https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch
diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog
--- poppler-25.03.0/debian/changelog	2026-06-06 05:07:43.000000000 -0400
+++ poppler-25.03.0/debian/changelog	2026-07-02 12:52:33.000000000 -0400
@@ -1,3 +1,13 @@
+poppler (25.03.0-5+deb13u4) trixie; urgency=medium
+
+  * Team upload
+  * Fix creation of ill-formed PDF document signatures (Poppler issue #1596)
+    - fixes "Invalid signature time when signing a PDF" (Closes: #1127146)
+    Signatures made with previous versions of Poppler may not be recognized
+    by other applications as valid.
+
+ -- John Scott <[email protected]>  Thu, 02 Jul 2026 16:52:33 +0000
+
 poppler (25.03.0-5+deb13u3) trixie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru poppler-25.03.0/debian/patches/malformed-moddate.patch poppler-25.03.0/debian/patches/malformed-moddate.patch
--- poppler-25.03.0/debian/patches/malformed-moddate.patch	1969-12-31 19:00:00.000000000 -0500
+++ poppler-25.03.0/debian/patches/malformed-moddate.patch	2026-07-01 11:49:51.000000000 -0400
@@ -0,0 +1,28 @@
+Description: DateInfo: Fix timeToStringWithFormat buffer length
+ strftime places a NULL-terminated string in the buffer, so the std::string
+ buffer needs to be resized to not include the terminator character
+ (or anything after it).
+ .
+ Without this fix, modification dates in altered PDF documents (such as when
+ adding a digital signature) are not truncated properly, instead padding
+ the date with a null byte and extra spaces until the end of the buffer is
+ reached. This bad syntax compromises the ability to verify the signature
+ with other applications, but the Poppler signatory has no indication of this.
+Origin: upstream, https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch
+Applied-Upstream: 25.06.0, https://gitlab.freedesktop.org/poppler/poppler/-/commit/55169105e121d5fbb7c50e2c744d750de5d0a7de
+Author: Erich E. Hoover <[email protected]>
+Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596
+Bug-Debian: https://bugs.debian.org/1127146
+Reviewed-By: John Scott <[email protected]>
+Last-Update: 2026-07-01
+
+--- poppler-25.03.0.orig/poppler/DateInfo.cc
++++ poppler-25.03.0/poppler/DateInfo.cc
+@@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const
+     while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) {
+         buf.resize(bufLen *= 2);
+     }
++    buf.resize(buf.find('\0'));
+     return buf;
+ }
+ 
diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series
--- poppler-25.03.0/debian/patches/series	2026-06-06 05:06:52.000000000 -0400
+++ poppler-25.03.0/debian/patches/series	2026-07-01 11:48:54.000000000 -0400
@@ -6,3 +6,4 @@
 SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch
 Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch
 Check-for-duplicate-entries.patch
+malformed-moddate.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to