[Git][security-tracker-team/security-tracker][master] Document required followup for CVE-2025-64512/pdfminer

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Jan 1 23:11:19 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c684208e by Salvatore Bonaccorso at 2026-01-02T00:11:07+01:00
Document required followup for CVE-2025-64512/pdfminer

Consider it unfixed in unstable, keep the original DSA association with
incomplete fix for the DSA and DLA as they will require DSA-6062-2 and
DLA-4374-2 accordingly with the proper fix.

The proper fix switches from pickle to JSON for the CMap storage and
needs to be backported to the older versions.

For unstable it might be more approriate to update to 20251230 with the
fix.

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -20218,9 +20218,12 @@ CVE-2025-64513 (Milvus is an open-source vector database built for generative AI
 	NOT-FOR-US: Milvus
 CVE-2025-64512 (Pdfminer.six is a community maintained fork of the original PDFMiner,  ...)
 	{DSA-6062-1 DLA-4374-1}
-	- pdfminer 20221105+dfsg-1.1 (bug #1120642)
+	- pdfminer <unfixed> (bug #1120642)
 	NOTE: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
 	NOTE: Fixed by: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 (20251107)
+	NOTE: Initial fix incomplete: https://github.com/pdfminer/pdfminer.six/pull/1172
+	NOTE: Proper fix by replacing pickle for SON for CMap storage.
+	NOTE: Fixed by: https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33 (20251230)
 CVE-2025-64509 (Bugsink is a self-hosted error tracking tool. In versions prior to 2.0 ...)
 	NOT-FOR-US: Bugsink
 CVE-2025-64508 (Bugsink is a self-hosted error tracking tool. In versions prior to 2.0 ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -53,6 +53,9 @@ netty
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
+pdfminer
+  Required followup for CVE-2025-64512 as original fix was incomplete.
+--
 php8.2/oldstable (jmm)
 --
 php-laravel-framework/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c684208eb36689950230176dd3b4dcfa4945ae6b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c684208eb36689950230176dd3b4dcfa4945ae6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260101/38bd6e76/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list