Am 20.05.2022 um 11:16 teilte Neil Williams mit: Hello Neil,
I could simply copy the appropriate commit from upstream [1] and put it into our package. The package still builds and it seems to solve the issue (see below). I'd do another upload to experimental and upload TL 2022 (containing the fix) to unstable in about 2 weeks.texlive-binaries in unstable, experimental and bookworm embeds xpdfreader 4.03 and the code is exposed via the pdftosrc binary. The PoC file from the CVE triggers a segmentation fault in pdftosrc. pdftosrc from bullseye (correctly) reports a broken PDF without crashing as texlive-binaries in bullseye embeds xpdfreader 4.02.
Would the time frame be OK for you? Hilmar hille@sid-amd64:~/devel/TeXLive$ ./pdftosrc file.pdf pdftosrc version 4.04 libxpdf: Syntax Error (92917): Command token too long libxpdf: Syntax Error (93045): Command token too long libxpdf: Syntax Error (93173): Command token too long libxpdf: Syntax Error: Couldn't read xref tablelibxpdf: Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
No SourceObject found[1] https://github.com/TeX-Live/texlive-source/commit/b20034c3cf23f813a70cb60de8e1761a443f5fbf.patch
-- sigfault
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature