Debian alert DLA-4374-2 (pdfminer)
| From: | Chris Lamb <lamby@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4374-2] pdfminer security update | |
| Date: | Thu, 08 Jan 2026 12:07:06 -0800 | |
| Message-ID: | <176789921200.2886415.1083284598490858884@bigcat> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4374-2 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb January 08, 2026 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : pdfminer Version : 20200726-1+deb11u2 CVE ID : CVE-2025-64512 Debian Bug : 1120642 It was previously discovered that there was a potential arbitrary code execution in pdfminer, a tool for extracting information from PDF documents. A malicious, zipped pickle file might have contained code that might have been executed when the PDF was processed. Although a fix for this was released in pdfminer version 20200726-1+deb11u2 (via DLA-4374-1), upstream subsequently determined that this mitigation was insufficient and a more comprehensive mitigation that replaces the pickle-based mechanism entirely was applied instead. For Debian 11 bullseye, this updated fix has been released in version 20200726-1+deb11u2. We recommend that you upgrade your pdfminer packages. For the detailed security status of pdfminer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdfminer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmlgADgACgkQHpU+J9Qx HljYCg//W4l062N4P9PUDZRWwd1WhI9KNVOSbORWcV8jfANx9dbYLsyb0g7HFRIm K1ahdkpW0ybmta8P9+2b73SninTa37Ug3pzVRIL/3O7IbnZighXeUaL7vpUgvDNC qrbKHTSBDG6Pv++qASlNnaybg7ABO1MC22m75TSH/moJsaO4/YyAvJ0TCqp8GSoQ kBrcgMEuFC+d2nLOdM503geffiNmNiFpQHKCxlXQ59v78BNR2/iC8+STMOS50J8Q oI0cQaRRVHKhkL4RizsV7+o1+IhCDH9byjIxsdMBfCkerRIRME5uLEcq0bYG9vbA 41QE3pBqTeR2s2+WY66ldy/hOXASV1ONx6MFuJR3AWhLKDT62RDp6me/p7Q4RtE1 Hzt8DAnSUn5bBjXEzx5zHSsegWTBUdX9RQxNwuQy1GwiS/Zrxg7xRyUGlduZBokw ZOxn/PxG2kf8VCXgiJpD5U0aT5JOj+Idg461IMwALC0ZEzsiQbV9swrswLedIH1b /TjVTvpoX+LbjzJGD02JMNN5+XiYDihsdjLHWN3c9i5zymXoDX5MZoUij3ydc6lv GsWaw15hkwtlknRcCsEWizDztD7wN4ycc9LaA71rNIIvSvVHY+0cf7H/tAN1GFDC nfugGNRIJ4ikg1pfR+VLv6+Qv686UDGg054rgYRV5hyU4rb3v/I= =iXCI -----END PGP SIGNATURE-----