1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From: Scott Tolley <michaeltolley21@hotmail.com>
Date: Fri, 7 Nov 2025 20:47:46 +0100
Subject: Fix: arbitary code execution when loading pickle font files
Origin: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
Bug-Debian: https://bugs.debian.org/1120642
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-64512
Fixes https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
Fixes https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc
---
pdfminer/cmapdb.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/pdfminer/cmapdb.py b/pdfminer/cmapdb.py
index 87d9870e024d..b3c7f2b018d4 100644
--- a/pdfminer/cmapdb.py
+++ b/pdfminer/cmapdb.py
@@ -240,8 +240,14 @@ class CMapDB:
)
for directory in cmap_paths:
path = os.path.join(directory, filename)
- if os.path.exists(path):
- gzfile = gzip.open(path)
+ # Resolve paths to prevent directory traversal
+ resolved_path = os.path.realpath(path)
+ resolved_directory = os.path.realpath(directory)
+ # Check if resolved path is within the intended directory
+ if not resolved_path.startswith(resolved_directory + os.sep):
+ continue
+ if os.path.exists(resolved_path):
+ gzfile = gzip.open(resolved_path)
try:
return type(str(name), (), pickle.loads(gzfile.read()))
finally:
--
2.51.0
|
