Control: found -1 20221105+dfsg-1.1 On Thu, Nov 13, 2025 at 11:04:22PM +0100, Salvatore Bonaccorso wrote: > Control: tags 1120642 + patch > Control: tags 1120642 + pending > > X-Debbugs-CC: [email protected] > > > Dear maintainer, > > I've prepared an NMU for pdfminer (versioned as 20221105+dfsg-1.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should cancel it. > > I do realize the delay is choosen bit too short, if possible though I > would like to base the trixie- and bookworm-security upload based on > this, given we have the same version across the suites. > > If I still should cancel it, let me know please.
Unfortunately the original fix was incomplete and it was still possible to exploit CVE-2025-64512. The proper solution was upstream to replace pickle with JSON for CMap storage. I'm not yet sure how we can backport this to older versions, but let's reopen the bug to make the fix correct. Information: https://github.com/pdfminer/pdfminer.six/pull/1172 Fix: https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33 Regards, Salvatore
