Package "qpdf"

  qpdf (11.5.0-1ubuntu1.1) mantic-security; urgency=medium

  * SECURITY UPDATE: heap overflow via std::__shared_count()
    - debian/patches/CVE-2024-24246.patch: handle parse error stream data
      in libqpdf/QPDF_json.cc, qpdf/qpdf.testcov, qpdf/qtest/*.
    - CVE-2024-24246

 -- Marc Deslauriers <email address hidden> Wed, 20 Mar 2024 10:40:27 -0400

  qpdf (11.5.0-1ubuntu1) mantic; urgency=medium

  * Fix data loss bug introduced in 11.0.0 and fixed in 11.6.3. The bug
    causes the qpdf tokenizer to discard the character after a one-digit
    or two-digit quoted octal string. Most writers don't create these, and
    they are rare outside of content streams. By default, qpdf doesn't
    parse content streams. The most common place for this to occur would
    be in a document's /ID string, but in the worst case, this bug could
    cause silent damage to some strings in a PDF file's metadata, such as
    bookmark names or form field values. (LP: #2039804)

 -- Jay Berkenbilt <email address hidden> Thu, 19 Oct 2023 07:20:25 -0400