debian/0000755000000000000000000000000013272134511007165 5ustar debian/libqpdf-dev.install0000644000000000000000000000016413264732354012765 0ustar debian/tmp/usr/lib/*/lib*.so debian/tmp/usr/lib/*/lib*.a debian/tmp/usr/lib/*/pkgconfig/*.pc debian/tmp/usr/include debian/rules0000755000000000000000000000135213272124626010254 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_MAKE_CHECK_TARGET = check %: dh $@ override_dh_compress: dh_compress --exclude=qpdf-manual --exclude=.css --exclude examples/ override_dh_auto_clean: make distclean CLEAN=1 override_dh_auto_configure: dh_auto_configure -- \ --libdir="\$${prefix}/lib/$(DEB_HOST_MULTIARCH)" \ --enable-show-failed-test-output override_dh_install: dh_install mkdir -p debian/libqpdf-dev/usr/share/doc/libqpdf-dev/examples cp -p examples/*.cc examples/*.c \ debian/libqpdf-dev/usr/share/doc/libqpdf-dev/examples cp -p README.md debian/libqpdf-dev/usr/share/doc/libqpdf-dev/README.md debian/libqpdf21.shlibs0000644000000000000000000000003713264732354012171 0ustar libqpdf 21 libqpdf21 (>> 8.0~) debian/control0000644000000000000000000000771113272124620010576 0ustar Source: qpdf Section: libs Priority: optional Build-Depends: debhelper (>> 9~), libjpeg-dev, zlib1g-dev Maintainer: Jay Berkenbilt Standards-Version: 4.1.3 Homepage: http://qpdf.sourceforge.net Package: libqpdf21 Section: libs Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Recommends: qpdf Description: runtime library for PDF transformation/inspection software QPDF is a program that can be used to linearize (web-optimize), encrypt (password-protect), decrypt, and inspect PDF files from the command-line. It does these and other structural, content-preserving transformations on PDF files, reading a PDF file as input and creating a new one as output. It also provides many useful capabilities to developers of PDF-producing software or for people who just want to look at the innards of a PDF file to learn more about how they work. . QPDF understands PDF files that use compressed object streams (supported by newer PDF applications) and can convert such files into those that can be read with older viewers. It can also be used for checking PDF files for structural errors, inspecting stream contents, or extracting objects from PDF files. QPDF is not PDF content creation or viewing software -- it does not have the capability to create PDF files from scratch or to display PDF files. . This package contains the qpdf runtime libraries required to run programs that link with the qpdf library. Package: libqpdf-dev Section: libdevel Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, libqpdf21 (= ${binary:Version}), libjpeg-dev, zlib1g-dev Recommends: qpdf Description: development files for PDF transformation/inspection library QPDF is a program that can be used to linearize (web-optimize), encrypt (password-protect), decrypt, and inspect PDF files from the command-line. It does these and other structural, content-preserving transformations on PDF files, reading a PDF file as input and creating a new one as output. It also provides many useful capabilities to developers of PDF-producing software or for people who just want to look at the innards of a PDF file to learn more about how they work. . QPDF understands PDF files that use compressed object streams (supported by newer PDF applications) and can convert such files into those that can be read with older viewers. It can also be used for checking PDF files for structural errors, inspecting stream contents, or extracting objects from PDF files. QPDF is not PDF content creation or viewing software -- it does not have the capability to create PDF files from scratch or to display PDF files. . This package includes all development files needed to compile applications that use the qpdf library. Package: qpdf Section: text Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Description: tools for transforming and inspecting PDF files QPDF is a program that can be used to linearize (web-optimize), encrypt (password-protect), decrypt, and inspect PDF files from the command-line. It does these and other structural, content-preserving transformations on PDF files, reading a PDF file as input and creating a new one as output. It also provides many useful capabilities to developers of PDF-producing software or for people who just want to look at the innards of a PDF file to learn more about how they work. . QPDF understands PDF files that use compressed object streams (supported by newer PDF applications) and can convert such files into those that can be read with older viewers. It can also be used for checking PDF files for structural errors, inspecting stream contents, or extracting objects from PDF files. QPDF is not PDF content creation or viewing software -- it does not have the capability to create PDF files from scratch or to display PDF files. . This package includes the command-line qpdf tools. It also contains the documentation. debian/watch0000644000000000000000000000042613264732354010232 0ustar version=4 # qpdf releases are based on artifacts that are explicitly uploaded # rather than the automatically created source releases. opts=pgpsigurlmangle=s/$/.asc/,\ uversionmangle=s/(\d)\.([a-z].+)$/$1~$2/ \ https://github.com/qpdf/qpdf/releases .*/qpdf-(\d\S+)\.tar\.gz debian/patches/0000755000000000000000000000000013272134360010616 5ustar debian/patches/series0000644000000000000000000000005013272134170012025 0ustar CVE-2018-9918.patch fix_pkgconfig.patch debian/patches/CVE-2018-9918.patch0000644000000000000000000000573713264732354013300 0ustar Index: qpdf/ChangeLog =================================================================== --- qpdf.orig/ChangeLog +++ qpdf/ChangeLog @@ -1,3 +1,8 @@ +2018-04-15 Jay Berkenbilt + + * Arbitrarily limit the depth of data structures represented by + direct object. This is CVE-2018-9918. Fixes #202. + 2018-03-06 Jay Berkenbilt * 8.0.2: release Index: qpdf/libqpdf/QPDFObjectHandle.cc =================================================================== --- qpdf.orig/libqpdf/QPDFObjectHandle.cc +++ qpdf/libqpdf/QPDFObjectHandle.cc @@ -1487,12 +1487,26 @@ QPDFObjectHandle::parseInternal(PointerH case QPDFTokenizer::tt_array_open: case QPDFTokenizer::tt_dict_open: - olist_stack.push_back(std::vector()); - state = st_start; - offset_stack.push_back(input->tell()); - state_stack.push_back( - (token.getType() == QPDFTokenizer::tt_array_open) ? - st_array : st_dictionary); + if (olist_stack.size() > 500) + { + QTC::TC("qpdf", "QPDFObjectHandle too deep"); + warn(context, + QPDFExc(qpdf_e_damaged_pdf, input->getName(), + object_description, + input->getLastOffset(), + "ignoring excessively deeply nested data structure")); + object = newNull(); + state = st_top; + } + else + { + olist_stack.push_back(std::vector()); + state = st_start; + offset_stack.push_back(input->tell()); + state_stack.push_back( + (token.getType() == QPDFTokenizer::tt_array_open) ? + st_array : st_dictionary); + } break; case QPDFTokenizer::tt_bool: Index: qpdf/qpdf/qpdf.testcov =================================================================== --- qpdf.orig/qpdf/qpdf.testcov +++ qpdf/qpdf/qpdf.testcov @@ -335,3 +335,4 @@ QPDFObjectHandle numeric non-numeric 0 QPDFObjectHandle erase array bounds 0 qpdf-c called qpdf_check_pdf 0 QPDF xref loop 0 +QPDFObjectHandle too deep 0 Index: qpdf/qpdf/qtest/qpdf/issue-146.out =================================================================== --- qpdf.orig/qpdf/qtest/qpdf/issue-146.out +++ qpdf/qpdf/qtest/qpdf/issue-146.out @@ -1,7 +1,5 @@ WARNING: issue-146.pdf: file is damaged WARNING: issue-146.pdf: can't find startxref WARNING: issue-146.pdf: Attempting to reconstruct cross-reference table -WARNING: issue-146.pdf (trailer, offset 20728): unknown token while reading object; treating as string -WARNING: issue-146.pdf (trailer, offset 20732): unexpected EOF -WARNING: issue-146.pdf (trailer, offset 20732): parse error while reading object +WARNING: issue-146.pdf (trailer, offset 695): ignoring excessively deeply nested data structure issue-146.pdf: unable to find trailer dictionary while recovering damaged file debian/patches/fix_pkgconfig.patch0000644000000000000000000000114613272134360014456 0ustar Description: libjpeg in trusty doesn't have pkgconfig support Author: Marc Deslauriers Forwarded: no, not-needed Index: qpdf-8.0.2/libqpdf.pc.in =================================================================== --- qpdf-8.0.2.orig/libqpdf.pc.in 2018-03-06 11:34:07.000000000 -0500 +++ qpdf-8.0.2/libqpdf.pc.in 2018-05-01 14:57:18.359079458 -0400 @@ -6,6 +6,6 @@ includedir=@includedir@ Name: libqpdf Description: PDF transformation library Version: @PACKAGE_VERSION@ -Requires.private: zlib, libjpeg +Requires.private: zlib Libs: -L${libdir} -lqpdf Cflags: -I${includedir} debian/upstream/0000755000000000000000000000000013264732354011037 5ustar debian/upstream/signing-key.asc0000644000000000000000000000745613264732354013767 0ustar -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBExjXa4BEAC45kKqS7zebKaGZXbgZXQYzXbNk0eRSohclwdfgfoNbkthMyp9 IDHlnuCam5fr8mrK5l+xKoB+kHqZRc7bE1CTtlopVY0WzNU1ntnTUnBi6eDKePg+ vg9dk84Hi3dJF5j5EHibmvKM/jwTaegnp8qrN63mELWFfEfkAztGk9A7T6Fkd9m7 RZLCJfzlRQaJNpmh7mFMC/LTTLsGBU4d8rKJGIF8AV9kKQKWnU1nPt3bTNhnmOds 04TDVPwErV58hBELpyK9Ww6sJ7j//cOXS8RxXMXHanl6gYK58uGRXY4rXH/fp9eF g4z5inARTc16OEcIQ2iz7G6qeI4+Q4ZOczVxwHPfB+5CcydcnDerNfLK2ITAHsRL HW63uz+uUA3iwXVR0rH92KN1oe7Jffn00iruMg+tu209l2pzq/oQRKeUlYs72Z7m LJWX/LWEYdgP3dS2II62j6/CblegnHSWrNAyhqPUgy8IjbsoDqb65NkWQxt2NKJP ot3avbu5+kDBdn0RmQLD6x7+VnvjHaykKs4A9dBT4Ie1KJ5BBJnljfc9+DdF8QG1 mr4RJGrQqmzydpCaMpcEKj8Wqa5V4h/mtHKkwzNhvXSRDQxOTrsHTsx0750F5KJ+ souOwI7eX0ymgioQQLe95jdk0/uUe6MsFdZ2vlwGQTnv7wYtIzzY3ijXWQARAQAB tBtKYXkgQmVya2VuYmlsdCA8ZWpiQHFsLm9yZz6JAjsEEwECACUCGwMGCwkIBwMC BhUIAgkKCwQWAgMBAh4BAheABQJMY2G4AhkBAAoJEIp10QmYASx+gmIQAIhPkc4Y c2UfA9rkVdCiPH0GTgrf3mra+HEt0Tc4Osb8VSEJKtL2zJ94W6M0+e1+qRtQ2odN F7mJUOnHJGSEbtBRlvatWSbdwkV7Ws/rXAreXnrqWdvvE/xFe5cXtj2SReaDWfoZ LgwMVBeQDHnngfkVWV8LYL3PWdF5tNyYdjgSvyxYgEaqYtDyQdElVMIomAOCUkew 3zcHaCNWq4RmQEqM3WmF8/DgB7xpd0Nyupy6IyxVfUkSHs2nsnvmGFPDAIW3cZtW wPcts2T9i1MOrL6gpiFIDqJW+2c2w2SXhAE74brWjbY9xd+6zpko4PEFujXs8ZXW 8lkeXax9Vg1Z7QdV4imnXiPGt5etiPQij0fJYTEOpM4VKUDEpFYh1eQ4+HUI6MJu PZBs10RUxjSbr1Q9XnMEBbGCsPk3H3IiCNxXk23xEUtujshVVLtD3H3S6zpm6vol Jy0MkMDZicwtYS7ftuvXiOQcRdoBUvvLyd8RqHANSp5A6M42v2jLgaq93ZZojWA4 9M52ytoJlKfFMO3/XUwP6ZyBwByUJfWH0+MglokuqedVypIRx65CmqXoU1FhlJJn 3EL3y1OlB+ZqdyaHF4sGLlb4ZYBoIWw3p/vMjo/pMUV01FsG1ZNUzYg6rY+DbbRd o9i140u+aH3yru7vStdlGUyRd9UXLL9l6/PWtB9KYXkgQmVya2VuYmlsdCA8cWpi QGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJMY16oAhsDBgsJCAcDAgYVCAIJCgsEFgID AQIeAQIXgAAKCRCKddEJmAEsfoNMD/9JMDvAamWF7/CKtnXK8sURGeuTBAxQ6zLQ BUWPBIowPyR0yuIGUDwhc+vbO9Gk6FZCBpCXGnFCc6uRnLpPanq70pXHexncnOde KYNnCk0S0ju0ALPmlc4OhNjC3oLasWJHMzsvDr3IVucmC1IO8JXL83t4J66nLiL/ mpmenqWxyX1LJkf2WmQ+9k6N+pGgQkr+hO8u3e+7KG1HzhnjIXXioYaYYSB2ve1Z CK7Er/QTxzsdk+DmSjUsILQvwAupkN3osS00/Rv+HB1hebMv1BOSoLzSlwbIXwRe wAKJrAJSq7Ec58l9LZsUJrg9tuJavxgMkD2yjMd50jt4o5oJKLvcRSUNdqsZ01Ej NfD5GIXqmH4XntlWUMN0nm3M64gVc2oVpw73s0M+UW7/Bft/Dc+pT1Vy/uQXky0m zR8SGrWLSGj5r6m5MWkH4EKp3hqFxQSq9R5Ed5fRIBvGKngkuwFN8dbllWN/PFFv Smacfw7Jv0yn58alrk71Caag0KOSbHH0jh9pyFAv0xRo4LDeoi8WlY5ycgscXD5h HETEw7AlmDSounu3haDDoy9L3cts2A4Nbld6SOQ/QmdArgdQ0a5nNXY5DlIDdiZo 2GaPgiTOI8mqM9TV5RCUKG9uHepQzYUBs4enUh83HE+zYFiykXIatg/3DR42MEGf Hx4F+Qb+HrkCDQRMY12uARAA2uFSD5WZGDXzZ010+jXI1F5uLjZYV8FozRABoxoG Q2LbsSc1gVRtaiDPeUb763y0l1iVze/agUZbVgtc5WHa+GsciTyag8orirEl9rnA Ihh/p7/5HB1/2vqMHYvfh0xkdV68ZBF4fMjxIIFONvQ3rfGHwqUpSLDqgGTTHynP DydSPGgKhCwVsqW4qEPNtZDmlIbsWXQIN+8+Y6Q7lpLhHo9igDKa7jaadTyShvjq FqznnmeLYqGOfkpTzkVOBkdF+mlXHI50Q6zUeBBeoQ8ARLsRcEydswY9ynykDOWv I3/zGx2u8KF5IzosYO1VHgkC6vZTpaxPDvb5Ys7UlUX7gb5GvE1L7Mu4CwwentGW VmM4T6i0gjweHCr9nL1yZK8k6pbro5uvGtiE+sl++lB2LEAtSyQwOVaQTLPFT3bb fhUAHkkiwHGSBhrY6JnjK5reuvkGMlshTScI0mEH8M3sst1TjS4CysKZ+2aUSa1Y GFRBr+y0FbhBwTlvxVEs1YlmPpdZDz5yOe+VknMOPNdYldtnBRPhZDHs5NBiVRfP ABSES8esKqgPsG77snBzSsTgqX3LXO2FDxvFuNvQVTGcBapxzE98PJnUPSKxTqhA ziXZsN79x6rXkOflPK5mEngF50PxVU7DC6U51DCoqMYqlzLYri4r/4qFW8xg8dYF TYUAEQEAAYkCHwQYAQIACQUCTGNdrgIbDAAKCRCKddEJmAEsfm3zD/9Q3aeYDhi7 87jUg3nazUnTr5Iny7ovLsqVRh9IKu/BwJKCG+UV+EjO3n3+fMoFzZjg9SLs7EfI KT5BI8NysPWTuaxNAx4SrDc98G50wCDKeVKwRW3ZERK0bHvIRA+qx91ztFFX42fC gb8RtoOHaUkoYOY4q0KOw4U7b6OlwAa/qzxZ3pZFQ0f5gPXEQHjwAmx6HdNEvN2v fXnbFBjOC1tAhvijra6BANEr12LLwq97RK6s4sh0IzCig85SI0arc4r2wAjXiO1f my+kOhp+K3kMmYo7O+pG4Zy9VD+93e5mymXbUFs+MB0eDnuDR8fGpb1jKwhj9xP2 70pEX0qynvvwvSvMRsTeQhotckjeQuMMz61XSFg4tsF5guArWG/LUt2eSM8r/Sjf N+LxGnWi8b0eFhrD2S9RWSzlZyBTzKoS7O7MPaaM9k8HOhs0f86vhX/aDpwZzqUU yzUcbGesi6o2+plQXzYwQJqkv402WLrEQY/2hq3ndi2H1aFwsK69+TPiRCDuKs39 C57YZmvGCZaUKbm6ALJKblP94thc8J4Hxhicns+JUyj3Afu6HfWLWrffhOzPXMzj HZHZTPo1z5hmDKT9EoGiXKk7vSabwqijsjgwDJVesIHUx6PsH3oK9D6W+pwFmmWy EhBGyHr3h10ly+Ja090RrIGpygQcoKSu8Q== =bPTF -----END PGP PUBLIC KEY BLOCK----- debian/compat0000644000000000000000000000000213272124610010362 0ustar 9 debian/qpdf.install0000644000000000000000000000012113264732354011513 0ustar debian/tmp/usr/bin debian/tmp/usr/share/man/man1 debian/tmp/usr/share/doc/qpdf/* debian/copyright0000644000000000000000000003116713264732354011142 0ustar This package was debianized by Jay Berkenbilt on April 26, 2008. It was downloaded from http://github.com/qpdf/qpdf/releases Upstream Maintainers: Jay Berkenbilt For these files: libqpdf/sph/sph_sha2.h libqpdf/sph/sph_types.h libqpdf/sph/md_helper.c libqpdf/sha2big.c libqpdf/sha2.c the following copyright applies: ---------------------------------------------------------------------- Copyright (c) 2007-2010 Projet RNRT SAPHIR Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------------------------------------------------------------- For the file libqpdf/MD5.cc, the following copyright applies: ---------------------------------------------------------------------- Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ---------------------------------------------------------------------- QPDF embeds a copy of qtest (http://qtest.qbilt.org), which has the same author as qpdf. qtest has the following copyright: Copyright 1993-2007, Jay Berkenbilt QTest is distributed under the terms of version 2.0 of the Artistic license, which may be found at https://opensource.org/licenses/Artistic-2.0 and which also appears below. ---------------------------------------------------------------------- For everything else, the following copyright applies: Copyright (C) 2005-2017 Jay Berkenbilt Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Versions of qpdf prior to version 7 were released under the terms of version 2.0 of the Artistic License. At your option, you may continue to consider qpdf to be licensed under those terms. The text of the Artistic License version 2.0 is included below. For the text of the Apache license version 2.0, see /usr/share/common-licenses/Apache-2.0 ---------------------------------------------------------------------- Artistic License 2.0 Copyright (c) 2000-2006, The Perl Foundation. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble This license establishes the terms under which a given free software Package may be copied, modified, distributed, and/or redistributed. The intent is that the Copyright Holder maintains some artistic control over the development of that Package while still keeping the Package available as open source and free software. You are always permitted to make arrangements wholly outside of this license directly with the Copyright Holder of a given Package. If the terms of this license do not permit the full use that you propose to make of the Package, you should contact the Copyright Holder and seek a different licensing arrangement. Definitions "Copyright Holder" means the individual(s) or organization(s) named in the copyright notice for the entire Package. "Contributor" means any party that has contributed code or other material to the Package, in accordance with the Copyright Holder's procedures. "You" and "your" means any person who would like to copy, distribute, or modify the Package. "Package" means the collection of files distributed by the Copyright Holder, and derivatives of that collection and/or of those files. A given Package may consist of either the Standard Version, or a Modified Version. "Distribute" means providing a copy of the Package or making it accessible to anyone else, or in the case of a company or organization, to others outside of your company or organization. "Distributor Fee" means any fee that you charge for Distributing this Package or providing support for this Package to another party. It does not mean licensing fees. "Standard Version" refers to the Package if it has not been modified, or has been modified only in ways explicitly requested by the Copyright Holder. "Modified Version" means the Package, if it has been changed, and such changes were not explicitly requested by the Copyright Holder. "Original License" means this Artistic License as Distributed with the Standard Version of the Package, in its current version or as it may be modified by The Perl Foundation in the future. "Source" form means the source code, documentation source, and configuration files for the Package. "Compiled" form means the compiled bytecode, object code, binary, or any other form resulting from mechanical transformation or translation of the Source form. Permission for Use and Modification Without Distribution (1) You are permitted to use the Standard Version and create and use Modified Versions for any purpose without restriction, provided that you do not Distribute the Modified Version. Permissions for Redistribution of the Standard Version (2) You may Distribute verbatim copies of the Source form of the Standard Version of this Package in any medium without restriction, either gratis or for a Distributor Fee, provided that you duplicate all of the original copyright notices and associated disclaimers. At your discretion, such verbatim copies may or may not include a Compiled form of the Package. (3) You may apply any bug fixes, portability changes, and other modifications made available from the Copyright Holder. The resulting Package will still be considered the Standard Version, and as such will be subject to the Original License. Distribution of Modified Versions of the Package as Source (4) You may Distribute your Modified Version as Source (either gratis or for a Distributor Fee, and with or without a Compiled form of the Modified Version) provided that you clearly document how it differs from the Standard Version, including, but not limited to, documenting any non-standard features, executables, or modules, and provided that you do at least ONE of the following: (a) make the Modified Version available to the Copyright Holder of the Standard Version, under the Original License, so that the Copyright Holder may include your modifications in the Standard Version. (b) ensure that installation of your Modified Version does not prevent the user installing or running the Standard Version. In addition, the Modified Version must bear a name that is different from the name of the Standard Version. (c) allow anyone who receives a copy of the Modified Version to make the Source form of the Modified Version available to others under (i) the Original License or (ii) a license that permits the licensee to freely copy, modify and redistribute the Modified Version using the same licensing terms that apply to the copy that the licensee received, and requires that the Source form of the Modified Version, and of any works derived from it, be made freely available in that license fees are prohibited but Distributor Fees are allowed. Distribution of Compiled Forms of the Standard Version or Modified Versions without the Source (5) You may Distribute Compiled forms of the Standard Version without the Source, provided that you include complete instructions on how to get the Source of the Standard Version. Such instructions must be valid at the time of your distribution. If these instructions, at any time while you are carrying out such distribution, become invalid, you must provide new instructions on demand or cease further distribution. If you provide valid instructions or cease distribution within thirty days after you become aware that the instructions are invalid, then you do not forfeit any of your rights under this license. (6) You may Distribute a Modified Version in Compiled form without the Source, provided that you comply with Section 4 with respect to the Source of the Modified Version. Aggregating or Linking the Package (7) You may aggregate the Package (either the Standard Version or Modified Version) with other packages and Distribute the resulting aggregation provided that you do not charge a licensing fee for the Package. Distributor Fees are permitted, and licensing fees for other components in the aggregation are permitted. The terms of this license apply to the use and Distribution of the Standard or Modified Versions as included in the aggregation. (8) You are permitted to link Modified and Standard Versions with other works, to embed the Package in a larger work of your own, or to build stand-alone binary or bytecode versions of applications that include the Package, and Distribute the result without restriction, provided the result does not expose a direct interface to the Package. Items That are Not Considered Part of a Modified Version (9) Works (including, but not limited to, modules and scripts) that merely extend or make use of the Package, do not, by themselves, cause the Package to be a Modified Version. In addition, such works are not considered parts of the Package itself, and are not subject to the terms of this license. General Provisions (10) Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license. (11) If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license. (12) This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder. (13) This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed. (14) Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/qpdf.doc-base0000644000000000000000000000053213264732354011530 0ustar Document: qpdf-manual Title: Manual for QPDF Author: Jay Berkenbilt Abstract: This manual describes how to use the QPDF tools and library. Section: Text Format: HTML Index: /usr/share/doc/qpdf/qpdf-manual.html Files: /usr/share/doc/qpdf/qpdf-manual.html /usr/share/doc/qpdf/stylesheet.css Format: PDF Files: /usr/share/doc/qpdf/qpdf-manual.pdf debian/source/0000755000000000000000000000000013264732354010477 5ustar debian/source/format0000644000000000000000000000001413264732354011705 0ustar 3.0 (quilt) debian/libqpdf21.install0000644000000000000000000000004213264732354012347 0ustar debian/tmp/usr/lib/*/libqpdf.so.* debian/qpdf.lintian-overrides0000644000000000000000000000030013264732354013502 0ustar # hardening-check says this is from memmove qpdf: hardening-no-fortify-functions usr/bin/qpdf # hardening-check says this is from fread qpdf: hardening-no-fortify-functions usr/bin/zlib-flate debian/changelog0000644000000000000000000003575413272134307011060 0ustar qpdf (8.0.2-3~14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: Updated to 8.0.2 to fix security issues. - CVE-2015-9252, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210, CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-12595, CVE-2017-18183, CVE-2017-18184, CVE-2017-18185, CVE-2017-18186, CVE-2018-9918 * Revert to debhelper 9: - debian/compat, debian/control: revert to 9. - debian/rules: remove dh_missing. * debian/patches/fix_pkgconfig.patch: libjpeg in trusty doesn't have pkgconfig support, remove it from libqpdf.pc.in. -- Marc Deslauriers Tue, 01 May 2018 13:52:40 -0400 qpdf (8.0.2-3) unstable; urgency=medium * Add patch for CVE-2018-9918 from upstream commit b4d6cf6836ce025ba1811b7bbec52680c7204223. (Closes: #895443) -- Jay Berkenbilt Sun, 15 Apr 2018 16:24:12 -0400 qpdf (8.0.2-2) unstable; urgency=medium * Update debhelper dependency to 10.3 for dh_missing. (Closes: #893581) -- Jay Berkenbilt Sun, 25 Mar 2018 08:29:34 -0400 qpdf (8.0.2-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Tue, 06 Mar 2018 11:54:54 -0500 qpdf (8.0.1-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Sun, 04 Mar 2018 08:40:53 -0500 qpdf (8.0.0-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Sun, 25 Feb 2018 16:55:10 -0500 qpdf (8.0~a1-1) experimental; urgency=medium * New upstream release. -- Jay Berkenbilt Wed, 21 Feb 2018 07:15:50 -0500 qpdf (7.1.1-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Sun, 04 Feb 2018 19:05:20 -0500 qpdf (7.1.0-1) unstable; urgency=medium * New upstream release. * Update standards to 4.1.3. No changes required. -- Jay Berkenbilt Sun, 14 Jan 2018 22:22:11 -0500 qpdf (7.0.0-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Fri, 15 Sep 2017 23:12:59 -0400 qpdf (7.0~b1-3) experimental; urgency=medium * Redo debian rules to use dh over cdbs. * 7.0~b1 closes several bugs. (Closes: #863390, #871320, #825246) -- Jay Berkenbilt Thu, 24 Aug 2017 21:40:57 -0400 qpdf (7.0~b1-2) experimental; urgency=medium * No code changes from previous upload other than noting that several bugs are closed. I left this out of the earlier changelog. This release has many enhancements and fixes many bugs. There are also several CVE fixes: CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210. A full listing of the changes in this version will be included in the release notes of the final 7.0.0 release. * Change build dependency for libjpeg-dev to leave only virtual package. -- Jay Berkenbilt Wed, 23 Aug 2017 12:19:47 -0400 qpdf (7.0~b1-1) experimental; urgency=medium * New upstream release. Includes soname bump. -- Jay Berkenbilt Tue, 22 Aug 2017 16:34:17 -0400 qpdf (6.0.0-2) unstable; urgency=medium * Upload to unstable. -- Jay Berkenbilt Mon, 16 Nov 2015 14:10:13 -0500 qpdf (6.0.0-1) experimental; urgency=medium * New upstream release. Includes soname bump. -- Jay Berkenbilt Tue, 10 Nov 2015 13:52:29 -0500 qpdf (5.2.0-2) unstable; urgency=medium * Revert ABI change. This is reverts the deterministic ID change introduced in 5.2.0 but retains the other fix. 6.0.0 will be released imminently with the new functionality. This version is compatible with 5.1.3. (Closes: #804706) -- Jay Berkenbilt Tue, 10 Nov 2015 13:08:28 -0500 qpdf (5.2.0-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Sun, 01 Nov 2015 16:48:58 -0500 qpdf (5.1.3-3) unstable; urgency=high * Update copyright to include a few files that had separate copyrights from the rest of the software. (Closes: #794555) -- Jay Berkenbilt Sun, 06 Sep 2015 18:37:40 -0400 qpdf (5.1.3-2) unstable; urgency=medium * Upload for gcc5 transition. Rename libqpdf13 to libqpdf13v5. (Closes: #791255) -- Jay Berkenbilt Mon, 03 Aug 2015 09:39:26 -0400 qpdf (5.1.3-1) unstable; urgency=medium * New upstream release. Includes all previous patches. * Update standards to 3.9.6. No changes required. * Fix typo in package description. (Closes: #779192) -- Jay Berkenbilt Sun, 24 May 2015 17:47:05 -0400 qpdf (5.1.2-3) experimental; urgency=medium * Handle broken PDF files with missing /Type keys in their page dictionary nodes. (Uploaded to experimental during debian freeze -- this is production-ready.) -- Jay Berkenbilt Mon, 29 Dec 2014 10:27:12 -0500 qpdf (5.1.2-2) unstable; urgency=medium * Properly handle pages with no /Content in the page dictionary, enabling printing of files with blank pages as produced by some software. (Closes: #769599) -- Jay Berkenbilt Fri, 14 Nov 2014 21:07:25 -0500 qpdf (5.1.2-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Sat, 07 Jun 2014 17:13:43 -0400 qpdf (5.1.1-1) unstable; urgency=medium * New upstream release. -- Jay Berkenbilt Tue, 14 Jan 2014 15:51:35 -0500 qpdf (5.1.0-1) unstable; urgency=medium * New upstream release * Use dh-autoreconf (Closes: #732093) * Update standards to 3.9.5. No changes required. -- Jay Berkenbilt Tue, 17 Dec 2013 15:50:11 -0500 qpdf (5.0.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 18 Oct 2013 12:53:02 -0400 qpdf (5.0.0-2) unstable; urgency=low * Upload to unstable -- Jay Berkenbilt Fri, 26 Jul 2013 09:45:50 -0400 qpdf (5.0.0-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Wed, 10 Jul 2013 13:34:36 -0400 qpdf (4.2.0-2) unstable; urgency=low * Revert ABI change caused by bug fix. The bug fix will be re-released in qpdf 5.0.0. (Closes: #715448) -- Jay Berkenbilt Wed, 10 Jul 2013 13:00:43 -0400 qpdf (4.2.0-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 07 Jul 2013 19:05:03 -0400 qpdf (4.1.0-2) unstable; urgency=low * Re-upload to unstable. * Build depend on autotools-dev to always get latest config.sub and config.guess * Update standards version to 3.9.4. No changes made. (qpdf is a C++ library with versioned symbols that version "*", so we continue to use a shlibs file instead of a symbols file.) -- Jay Berkenbilt Tue, 07 May 2013 14:15:47 -0400 qpdf (4.1.0-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Sun, 14 Apr 2013 14:51:40 -0400 qpdf (4.0.1-2) experimental; urgency=low * Bug fix: proper handling of overridden compressed objects. This fix is backported from upstream and will be part of 4.1.0. -- Jay Berkenbilt Sat, 23 Feb 2013 18:11:56 -0500 qpdf (4.0.1-1) experimental; urgency=low * New upstream release. All patches incorporated. -- Jay Berkenbilt Thu, 17 Jan 2013 10:09:39 -0500 qpdf (4.0.0-2) experimental; urgency=low * Patch to test code for detection of binary attachments on big-endian systems. No actual qpdf code is changed. -- Jay Berkenbilt Wed, 16 Jan 2013 13:44:28 -0500 qpdf (4.0.0-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Mon, 31 Dec 2012 11:06:44 -0500 qpdf (3.0.2-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Thu, 06 Sep 2012 16:42:48 -0400 qpdf (3.0.1-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Sat, 11 Aug 2012 13:58:29 -0400 qpdf (3.0.0-2) experimental; urgency=low * Package .pc file in dev package. -- Jay Berkenbilt Thu, 09 Aug 2012 21:20:22 -0400 qpdf (3.0.0-1) experimental; urgency=low * New upstream release * Note: this release is fully production-ready. It has been uploaded to debian experimental only because of the Wheezy freeze in effect at the time of upload. -- Jay Berkenbilt Thu, 02 Aug 2012 06:36:49 -0400 qpdf (3.0~rc1-1) experimental; urgency=low * New upstream release * Change hardening to use dpkg-buildflags -- Jay Berkenbilt Sun, 29 Jul 2012 14:57:40 -0400 qpdf (2.3.1-4) unstable; urgency=low * Work around portability issues exposed by upgrading to gcc 4.7. The next upstream version of qpdf will handle these properly. (Closes: #673404) -- Jay Berkenbilt Sat, 19 May 2012 09:21:52 -0400 qpdf (2.3.1-3) unstable; urgency=low * Enable hardening and multiarch. -- Jay Berkenbilt Sun, 22 Apr 2012 10:51:21 -0400 qpdf (2.3.1-2) unstable; urgency=low * Fix to work with pcre 8.30. (Closes: #666308) * Update standards to 3.9.3. * Fix typo in zlib-flate manual page. Thanks A. Costa. (Closes: #666983) -- Jay Berkenbilt Fri, 06 Apr 2012 21:45:43 -0400 qpdf (2.3.1-1) unstable; urgency=low * New upstream release * Release includes documentation fixes reported in debian bug reports. (Closes: #638038, #636931) -- Jay Berkenbilt Wed, 28 Dec 2011 17:38:56 -0500 qpdf (2.3.0-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Thu, 11 Aug 2011 16:43:32 -0400 qpdf (2.2.4-1) unstable; urgency=low * New upstream release. * -Werror is now disabled by default, so it is no longer disabled explicitly in debian/rules. -- Jay Berkenbilt Sat, 25 Jun 2011 15:14:13 -0400 qpdf (2.2.3-2) unstable; urgency=low * Disable -Werror for debian builds. (Closes: #625420) -- Jay Berkenbilt Sat, 07 May 2011 09:37:25 -0400 qpdf (2.2.3-1) unstable; urgency=low * New upstream release * Updated standards to 3.9.2. No changes required. -- Jay Berkenbilt Sat, 30 Apr 2011 16:18:28 -0400 qpdf (2.2.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Mon, 04 Oct 2010 12:14:33 -0400 qpdf (2.2.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sat, 02 Oct 2010 12:00:30 -0400 qpdf (2.2.0-2) unstable; urgency=low * Updated shlibs file to reflect added API. Thanks Julien Cristau. -- Jay Berkenbilt Sat, 21 Aug 2010 12:02:55 -0400 qpdf (2.2.0-1) unstable; urgency=low * New upstream release * Updated standards to 3.9.1. No changes required. -- Jay Berkenbilt Sat, 14 Aug 2010 14:14:52 -0400 qpdf (2.1.5-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 25 Apr 2010 11:11:03 -0400 qpdf (2.1.4-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 18 Apr 2010 19:26:55 -0400 qpdf (2.1.3-1) unstable; urgency=low * New upstream release * Updated standards version to 3.8.4. No changes required. -- Jay Berkenbilt Sat, 27 Mar 2010 12:24:48 -0400 qpdf (2.1.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 24 Jan 2010 20:47:09 -0500 qpdf (2.1.1-1) unstable; urgency=low * New upstream release * Updated source format to '3.0 (quilt)' * Upstream release builds with gcc 4.4. (Closes: #559877) -- Jay Berkenbilt Mon, 14 Dec 2009 15:02:12 -0500 qpdf (2.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 30 Oct 2009 19:59:00 -0400 qpdf (2.1~rc1-1) experimental; urgency=low * New upstream release. Several enhancements including support for PDF files with AES encryption, a partial C API (qpdf is primarily C++), and several additional enhancements to the API. There are a few source API changes, though most programs will not be affected; details in documentation. * Updated standards version to 3.8.3. No changes required. -- Jay Berkenbilt Sat, 24 Oct 2009 10:33:43 -0400 qpdf (2.0.6-1) unstable; urgency=low * New upstream release * New release includes a fix for streams with decode parameters that qpdf doesn't understand. (It ignores them and leaves the streams unfiltered instead of giving an error message.) * Updated standards version to 3.8.1. No changes required. -- Jay Berkenbilt Sun, 03 May 2009 16:30:11 -0400 qpdf (2.0.5-1) unstable; urgency=low * New upstream release * New release includes fixes to LZW decoder and improved features for handling files with damaged streams. -- Jay Berkenbilt Tue, 10 Mar 2009 13:02:50 -0400 qpdf (2.0.4-1) unstable; urgency=low * New upstream release * Fix README.source since we don't use tarball in tarball anymore. -- Jay Berkenbilt Sun, 22 Feb 2009 17:39:50 -0500 qpdf (2.0.3-1) unstable; urgency=low * New upstream release * Upstream release includes fix for gcc 4.4 compilation errors. (Closes: #505422) * No longer use tarball in tarball source package format -- Jay Berkenbilt Sun, 15 Feb 2009 18:02:05 -0500 qpdf (2.0.2-1) unstable; urgency=low * New upstream release. All debian changes incorporated. -- Jay Berkenbilt Mon, 30 Jun 2008 11:04:02 -0400 qpdf (2.0.1-3) unstable; urgency=low * Fix bashism in test suite. (Closes: #485047) * Update standards version to 3.8.0 by adding a debian/README.source file. NO other changes were required. -- Jay Berkenbilt Sat, 07 Jun 2008 21:14:05 -0400 qpdf (2.0.1-2) unstable; urgency=low * Increase timeout in test driver to be more tolerant of slow build systems. -- Jay Berkenbilt Wed, 07 May 2008 11:44:56 -0400 qpdf (2.0.1-1) unstable; urgency=low * New upstream release * All debian patches incorporated. -- Jay Berkenbilt Tue, 06 May 2008 12:15:20 -0400 qpdf (2.0-5) unstable; urgency=low * Fix 64-bit errors -- Jay Berkenbilt Mon, 05 May 2008 10:38:23 -0400 qpdf (2.0-4) unstable; urgency=low * Remove tests in specific locales. These are obsolete and cause false failures when locales aren't fully configured. -- Jay Berkenbilt Sun, 04 May 2008 22:02:56 -0400 qpdf (2.0-3) unstable; urgency=low * Added missing header files needed for g++-4.3. (Closes: #479301). (Now figuring out why my sid chroot doesn't have gcc 4.3.) -- Jay Berkenbilt Sun, 04 May 2008 12:01:31 -0400 qpdf (2.0-2) unstable; urgency=low * Added missing strlen.h to correct build failure. -- Jay Berkenbilt Sat, 03 May 2008 22:04:26 -0400 qpdf (2.0-1) unstable; urgency=low * Initial public release. (Closes: #478585) -- Jay Berkenbilt Wed, 30 Apr 2008 12:00:29 -0400