Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:poppler Control: severity 1127146 important Control: block 1127146 by -1 User: [email protected] Usertags: pu
NOTE: I am not a maintainer for this package but have taken responsibility for fixing this problem with their permission: https://bugs.debian.org/1127146#19 My changes are staged at https://salsa.debian.org/freedesktop-team/poppler/-/merge_requests/21 and a maintainer will upload this subject to your approval. [ Reason ] Currently this bug only affects Poppler in Trixie: earlier releases as well as Forky are unaffected. Poppler is a PDF library that, among other features, facilitates the creation and verification of digital signatures on PDF documents using X.509 certificates. A command-line utility, pdfsig, makes this available to users. A couple graphical programs like KDE's Okular and GNOME's Papers also make this available to users. This is a feature of the PDF format as defined by international standards, and it's supposed to be interoperable with other conforming applications. Users may digitally sign contracts or other important documents, for example. Other folks using different PDF viewers can then validate the signatures using public key infrastructure to get "proof" that a document is authentic, or that some terms were witnessed or agreed to. These signatures can be validated at least as long as the signing certificate remains valid—usually for at least one year, and often longer. Signatures are also useful for important and widely-shared documents like official announcements. Code to generate specially-formatted date strings for PDF metadata was cleaned up, switching from C-style string handling to C++-style string handling in versions 24.03.0 and later. A mistake has been discovered in this [1] which causes the terminating null byte of the string, as well as space characters to the end of the buffer, to be considered "part of" the date string. This means that instead of a modification time like "/M (D:20260629153055-04'00')" being inserted into PDF object metadata, it instead looks like "/M (D:20260629153055-04'00'X )", where 'X' is a placeholder for an actual null byte in what's supposed to be a text field. This is wrong and can confuse other applications. Poppler is mainly a library for PDF *viewing* and seldom alters these files, so it only creates PDF objects (ones needing such dates to be generated) in a couple very specific circumstances, mainly adding PDF annotations or digital signatures. This, as well as Poppler's tolerance of such malformed strings, allowed the bug to hide for a little while. Practically the problems show as soon as one starts sharing documents signed with Poppler. Other applications, including the major proprietary ones, are seldom able to verify these signatures. Debian users using free software only can be blissfully unaware of this problem, which may only become evident when a signature needs to be verified by someone else for some important purpose. The upstream project does assert that distros have a responsibility to incorporate the fix for this issue [2]; user frustration has been actually observed when the problem is noticed well after the time that the document was originally signed. Timely communication of this issue has been difficult and their release practices don't align well with Debian's needs. Release cadence is fast and there are no long-term branches maintained. It's not perfect for us, but we'll make do—and serious but non-security issues like this seem to be rare, fortunately. [ Impact ] Without the fix, users may continue signing PDF documents blissfully unaware that they are, actually, invalid (as Poppler successfully validates its own mangled signatures). These documents may not be able to have their signatures validated when the time is necessary, or show errors in other widely-used viewer applications. [ Tests ] Despite my attempts, I've not been able to make a DEP-8 test for this particular issue, not using the tools in Trixie anyway. Except for LibreOffice (which is apparently tolerant of the botched signatures), there isn't any other straightforward and reliable tooling for checking PDF signatures. Therefore the tests for this issue have been manual: I've used tools like 'mutool', 'qpdf', and 'strings' to inspect the contents of signed documents with and without this patch and can see that the problem is solved. I tried a couple web services that allow uploading a document to check its signatures, and although one didn't object to the malformed document, another did, but the documents created with the patched Poppler are considered valid in any case. Poppler does have a procedure for regression testing but those tests are in a separate repository at https://gitlab.freedesktop.org/poppler/test and we do not perform this in Debian. I assume this is because the sources for many of those files are unavailable, and I don't think they intend for those tests to be run by typical downstream packagers. (Note to self: this might be a good use case for Salsa CI, as that will allow running tests not present in the Poppler source package.) Because I'm not the package maintainer and a change here would be invasive in any case, certainly for a stable release, this shall not impede this update in Trixie. [ Risks ] The risks seem to be low. The code change is trivial, has been in upstream releases for about a year, and also cherry-picked by other distros like Fedora [3] into their stable releases when necessary. The upstream bug has a very detailed analysis of how the problem was introduced and why it was able to go unnoticed for a period of time. No alternative means to fix the problem exist. [ Checklist ] ☑ *all* changes are documented in the d/changelog ☑ I reviewed all changes and I approve them (EXCEPT the maintainers of this package haven't reviewed the change yet at this writing) ☑ attach debdiff against the package in (old)stable ☑ the issue is verified as fixed in unstable [ Changes ] Full debdiff is attached, but the sole change is to incorporate an upstream patch [4] doing the following: --- a/poppler/DateInfo.cc +++ b/poppler/DateInfo.cc @@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const time_t *timeA, const char *format) while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) { buf.resize(bufLen *= 2); } + buf.resize(buf.find('\0')); return buf; } By resizing the buffer to match the actual length of the intended string, the gunk in the rest of the buffer is truncated off. [1] https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596#note_2921375 [2] https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1611#note_3319757 [3] https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1611#note_3113414 [4] https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch
diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog --- poppler-25.03.0/debian/changelog 2026-06-06 05:07:43.000000000 -0400 +++ poppler-25.03.0/debian/changelog 2026-07-02 12:52:33.000000000 -0400 @@ -1,3 +1,13 @@ +poppler (25.03.0-5+deb13u4) trixie; urgency=medium + + * Team upload + * Fix creation of ill-formed PDF document signatures (Poppler issue #1596) + - fixes "Invalid signature time when signing a PDF" (Closes: #1127146) + Signatures made with previous versions of Poppler may not be recognized + by other applications as valid. + + -- John Scott <[email protected]> Thu, 02 Jul 2026 16:52:33 +0000 + poppler (25.03.0-5+deb13u3) trixie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru poppler-25.03.0/debian/patches/malformed-moddate.patch poppler-25.03.0/debian/patches/malformed-moddate.patch --- poppler-25.03.0/debian/patches/malformed-moddate.patch 1969-12-31 19:00:00.000000000 -0500 +++ poppler-25.03.0/debian/patches/malformed-moddate.patch 2026-07-01 11:49:51.000000000 -0400 @@ -0,0 +1,28 @@ +Description: DateInfo: Fix timeToStringWithFormat buffer length + strftime places a NULL-terminated string in the buffer, so the std::string + buffer needs to be resized to not include the terminator character + (or anything after it). + . + Without this fix, modification dates in altered PDF documents (such as when + adding a digital signature) are not truncated properly, instead padding + the date with a null byte and extra spaces until the end of the buffer is + reached. This bad syntax compromises the ability to verify the signature + with other applications, but the Poppler signatory has no indication of this. +Origin: upstream, https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1824.patch +Applied-Upstream: 25.06.0, https://gitlab.freedesktop.org/poppler/poppler/-/commit/55169105e121d5fbb7c50e2c744d750de5d0a7de +Author: Erich E. Hoover <[email protected]> +Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1596 +Bug-Debian: https://bugs.debian.org/1127146 +Reviewed-By: John Scott <[email protected]> +Last-Update: 2026-07-01 + +--- poppler-25.03.0.orig/poppler/DateInfo.cc ++++ poppler-25.03.0/poppler/DateInfo.cc +@@ -122,6 +122,7 @@ std::string timeToStringWithFormat(const + while (strftime(&buf[0], buf.size(), fmt.c_str(), &localtime_tm) == 0) { + buf.resize(bufLen *= 2); + } ++ buf.resize(buf.find('\0')); + return buf; + } + diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series --- poppler-25.03.0/debian/patches/series 2026-06-06 05:06:52.000000000 -0400 +++ poppler-25.03.0/debian/patches/series 2026-07-01 11:48:54.000000000 -0400 @@ -6,3 +6,4 @@ SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch Check-for-duplicate-entries.patch +malformed-moddate.patch
signature.asc
Description: This is a digitally signed message part

