BabelDOC v0.6.3
Highlights
- Fixed translated output for PDFs that use Type3 fonts with a non-default
FontMatrix, a pattern seen in some CJK and scanned-print documents.
Previously, BabelDOC derived text size directly from the raw Type3 Tf value,
which could be orders of magnitude smaller than the intended visual scale;
on affected pages the translated text was near-invisible and could look
blank. After this fix, BabelDOC normalizes Type3 font metrics against the
font's FontMatrix and FontBBox so affected translated text uses the
intended visual scale.
修复了使用非默认 FontMatrix 的 Type3 字体 PDF 的翻译输出(在部分 CJK 及
扫描印刷文档中可见)。此前 BabelDOC 直接从 Type3 的原始 Tf 值推算文字大小,
导致实际字号比视觉尺寸小数个量级,受影响页面中的译文几乎不可见,看起来
可能像空白。修复后,BabelDOC 根据字体的 FontMatrix 和 FontBBox 对 Type3
字号指标归一化,让受影响译文以预期视觉大小排版。 - Hardened the bundled CMap loader against deserialization of attacker-controlled
pickle files. The loader now only deserializes CMap files that match a pinned
manifest of bundled artifacts (allowlist + SHA-256 + size); names referenced
from PDF content can no longer redirect the loader to an external file.
收紧了内置 CMap 加载器,使其只反序列化与固定 manifest(allowlist + SHA-256 + 字节大小)
匹配的内置 CMap 文件。PDF 内容里的名字不能再把加载器指向外部文件。 - Sanitized PDF-controlled image names before writing through the optional
ImageWriter, so an attacker-controlled XObject name can no longer cause a
write outside the intended output directory.
在可选的ImageWriter写文件前清理 PDF 控制的图像名,使攻击者可控的 XObject 名不能
再写到目标目录之外。
Security
This release includes a CMap loader fix reported via coordinated
disclosure (GHSA-m8gf-v64p-gfmg,
affecting BabelDOC <= 0.6.2; see the published advisory for details
and exploit prerequisites), together with one additional
defense-in-depth hardening shipped alongside it (the ImageWriter path
sanitization listed above).
本版本包含一处通过协调披露收到的 CMap 加载器安全修复(GHSA-m8gf-v64p-gfmg,
影响 BabelDOC <= 0.6.2;完整细节与利用前提见上述链接),并同时附带上文
Highlights 里列出的一项纵深防御加固(ImageWriter 路径清理)。
Dependency Updates
- Raised the minimum versions of
onnx,cryptography, andpymupdffor
dependency hygiene and downstream SCA compatibility. We have not
identified a BabelDOC-specific call path that reaches the corresponding
upstream CVEs.
抬升了onnx、cryptography和pymupdf的最低版本,用于依赖卫生与下游
SCA 兼容性。我们尚未发现这几个上游 CVE 通过 BabelDOC 可触达的具体调用路径。
Compatibility Notes
- The CMap loader no longer honors the legacy
CMAP_PATHenvironment variable.
Deployments that relied onCMAP_PATHto ship additional CMap files outside
the BabelDOC package will need to vendor those CMaps into the packaged
runtime data or wait for a documented extension point; arbitrary external
CMap search paths are no longer supported.
CMap 加载器不再读取旧的CMAP_PATH环境变量。曾用CMAP_PATH注入额外 CMap 文件的
部署需要把所需 CMap 数据合入打包的运行时资源中,或等待后续记录在文档中的扩展点;
本版本之后,不再支持任意的外部 CMap 搜索路径。 - This release is primarily a security and dependency hardening update for the
v0.6 line. It also fixes translated output for PDFs with non-default Type3
FontMatrix fonts; those documents will produce different (corrected)
translation output after upgrading.
本版本主要是针对 v0.6 线的安全与依赖加固版本,同时修复了具有非默认
Type3 FontMatrix 字体的 PDF 的翻译输出;升级后,这类文档会生成不同(修正后)
的翻译结果。
Maintenance Policy
BabelDOC publishes security fixes only in the latest release. We do not
publish maintainer-supported backports for older minor, patch, or release
lines. For security fixes shipped in 0.6.3, the maintainer-supported fixed
version is 0.6.3 or later; downstream distributors may carry their own
patches, but older BabelDOC releases will not receive a separate upstream
backport.
BabelDOC 只在最新发布版本中发布安全修复。我们不向更早的 minor、patch 或
release 线发布维护者支持的回移版本。对于本次 0.6.3 中的安全修复,维护者支持
的修复版本为 0.6.3 及以后;下游发行方可自行打补丁维护更旧版本,但上游不会
为更早的 BabelDOC 版本提供独立的回移发布。