SRU request: qpdf: data loss bug affecting versions 11.0.0 through 11.6.2

Bug #2039804 reported by Jay Berkenbilt
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
qpdf (Ubuntu)
Status tracked in Mantic

Bug Description


* I am the upstream author and debian maintainer for qpdf.
* This bug has been fixed in debian unstable and testing with version 11.6.3, but because 24.04 is not yet open, it has not synced. This should not block fixing 23.04 and 22.04. I have uploaded 11.6.3 to my ppa:
* I am attaching debdiffs for lunar and mantic

Upstream bug revealed a bug in qpdf's lexical layer that would cause qpdf to discard the character in a binary string following an octal quoted character with 1 or 2 digits. The PDF spec allows octal digits to be \d, \dd, or \ddd, and allows the first two forms if the next character is other than an octal digit. Most PDF writers never use the \d or \dd forms, but some do. With default options, qpdf does not parse or alter strings inside content streams, so this bug is not likely to affect page content. However, binary strings of this sort are common in the document /ID and may also appear in metadata for encrypted files. In some cases, such as the file in #1050, this bug can cause error, in this case, because the discarded character was the string end delimiter. In most case, this bug results in silent data loss. The fix is very small and locally contained. The upstream fix includes several new test cases, but the patch I will include to fix the issue only includes the relevant code change.

I also reported this as a debian bug:

It was approved as a stable update by debian:

[ Impact ]

The bug could result in silent corruption of binary strings in PDF metadata. It could also result in failure of qpdf to process a valid file. Data loss justifies a stable update.

[ Test Plan ]

The test file in can be used to prove that the bug exists in versions >= 11.0.0 and <= 11.6.2 and that the bug is fixed in 11.6.3.

The upstream fix includes several additional automated test cases. These are not included in the patch, but they are included in the upstream commit that fixes the bug:

[ Where problems could occur ]

This fix has a very low risk of causing a regression. The fix is very localized to qpdf's lexical layer and is in a code path that only occurs when a 1-digit or 2-digit octal quoted character is terminated by other than an octal digit. This is the first bug in qpdf's lexical layer in many years. It was introduced by a pull request from a reliable and consistent contributor who has made may improvements to qpdf's performance. The fix follows the established pattern of how to handle instances in which a character triggers a state change and has to be reprocessed in the new state.

qpdf has a rigorous test suite and an extremely good quality record. It processes millions of documents daily by many commercial entities. My current employer runs millions of pages a day through qpdf.

[ Other Info ]

See also

Upstream bug report:
Corresponding debian bug report:
Debian stable release approval:

Revision history for this message
Jay Berkenbilt (ejb) wrote :
Revision history for this message
Jay Berkenbilt (ejb) wrote :
Revision history for this message
Jay Berkenbilt (ejb) wrote :

I've gone as far as I think I can, but I can do additional steps if needed. I have not tagged this or uploaded anything anywhere. Please let me know if I can/should take any additional steps to get this approved and processed as an SRU.

summary: - qpdf: data loss bug affecting versions 11.0.0 through 11.6.2
+ SRU request: qpdf: data loss bug affecting versions 11.0.0 through
+ 11.6.2
Changed in qpdf (Ubuntu Lunar):
importance: Undecided → High
Changed in qpdf (Ubuntu Mantic):
importance: Undecided → High
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Thank you very much, Jay, for writing up this SRU bug report and providing the debdiffs with the fix. This is the usual way how you contribute if you do not have upload rights to the Ubuntu archives. You post debdiffs in a bug report and a person with appropriate rights (the so-called "sponsor") applies the debdiff and uploads the resulting package.

I have uploaded the appropriate packages right now and subscribed the SRU team (ubuntu-sru group) to this report. Now the SRU Team will check the uploaded packages and put them into the -proposed repositories of the distro versions affected. Then they call for testing by a comment here. Once somebody tests the packages and finds that the bug is actually fixed, and nobody reports a regression, the fixed packages get released into the affected distros.

no longer affects: qpdf
Changed in qpdf:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.