diff -Nru qpdf-9.1.1/debian/changelog qpdf-9.1.1/debian/changelog
--- qpdf-9.1.1/debian/changelog	2020-03-21 12:29:10.000000000 +0000
+++ qpdf-9.1.1/debian/changelog	2021-07-28 13:06:58.000000000 +0000
@@ -1,3 +1,14 @@
+qpdf (9.1.1-1ubuntu0.1) focal-security; urgency=medium
+
+  * SECURITY UPDATE: heap-based buffer overflow in Pl_ASCII85Decoder::write
+    - debian/patches/CVE-2021-36978.patch: fix some pipelines to be safe if
+      downstream write fails in libqpdf/Pl_AES_PDF.cc,
+      libqpdf/Pl_ASCII85Decoder.cc, libqpdf/Pl_ASCIIHexDecoder.cc,
+      libqpdf/Pl_Count.cc.
+    - CVE-2021-36978
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 28 Jul 2021 09:06:58 -0400
+
 qpdf (9.1.1-1build1) focal; urgency=medium
 
   * No-change rebuild for libgcc-s1 package name change.
diff -Nru qpdf-9.1.1/debian/control qpdf-9.1.1/debian/control
--- qpdf-9.1.1/debian/control	2020-01-27 02:08:43.000000000 +0000
+++ qpdf-9.1.1/debian/control	2021-07-28 13:06:58.000000000 +0000
@@ -2,7 +2,8 @@
 Section: libs
 Priority: optional
 Build-Depends: debhelper (>> 10.3~), libjpeg-dev, zlib1g-dev, libgnutls28-dev
-Maintainer: Jay Berkenbilt <qjb@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Jay Berkenbilt <qjb@debian.org>
 Standards-Version: 4.5.0
 Homepage: http://qpdf.sourceforge.net
 
diff -Nru qpdf-9.1.1/debian/patches/CVE-2021-36978.patch qpdf-9.1.1/debian/patches/CVE-2021-36978.patch
--- qpdf-9.1.1/debian/patches/CVE-2021-36978.patch	1970-01-01 00:00:00.000000000 +0000
+++ qpdf-9.1.1/debian/patches/CVE-2021-36978.patch	2021-07-28 13:06:51.000000000 +0000
@@ -0,0 +1,99 @@
+Backport of:
+
+From dc92574c10f3e2516ec6445b88c5d584f40df4e5 Mon Sep 17 00:00:00 2001
+From: Jay Berkenbilt <ejb@ql.org>
+Date: Mon, 4 Jan 2021 11:55:28 -0500
+Subject: [PATCH] Fix some pipelines to be safe if downstream write fails (fuzz
+ issue 28262)
+
+---
+ ChangeLog                     |   6 ++++++
+ fuzz/qpdf_extra/28262.fuzz    | Bin 0 -> 40395 bytes
+ libqpdf/Pl_AES_PDF.cc         |   2 +-
+ libqpdf/Pl_ASCII85Decoder.cc  |   7 +++++--
+ libqpdf/Pl_ASCIIHexDecoder.cc |   6 ++++--
+ libqpdf/Pl_Count.cc           |   2 +-
+ 6 files changed, 17 insertions(+), 6 deletions(-)
+ create mode 100644 fuzz/qpdf_extra/28262.fuzz
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 2db53cb8..1e31efb4 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,9 @@
+#+2021-01-04  Jay Berkenbilt  <ejb@ql.org>
+#+
+#+	* Move getNext()->write() calls in some pipelines to ensure that
+#+	state gates properly reset even if the next pipeline's write
+#+	throws an exception (fuzz issue 28262).
+#+
+# 2021-01-03  Jay Berkenbilt  <ejb@ql.org>
+# 
+# 	* Don't include -o nospace with zsh completion setup so file
+diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
+index 18cf3a4d..2865f804 100644
+--- a/libqpdf/Pl_AES_PDF.cc
++++ b/libqpdf/Pl_AES_PDF.cc
+@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
+ 	    }
+ 	}
+     }
+-    getNext()->write(this->outbuf, bytes);
+     this->offset = 0;
++    getNext()->write(this->outbuf, bytes);
+ }
+diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
+index b8df3e87..9d9f6704 100644
+--- a/libqpdf/Pl_ASCII85Decoder.cc
++++ b/libqpdf/Pl_ASCII85Decoder.cc
+@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
+ 
+     QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
+ 	    (this->pos == 5) ? 0 : 1);
+-    getNext()->write(outbuf, this->pos - 1);
+-
++    // Reset before calling getNext()->write in case that throws an
++    // exception.
++    auto t = this->pos - 1;
+     this->pos = 0;
+     memset(this->inbuf, 117, 5);
++
++    getNext()->write(outbuf, t);
+ }
+ 
+ void
+diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
+index f20a9769..7845268e 100644
+--- a/libqpdf/Pl_ASCIIHexDecoder.cc
++++ b/libqpdf/Pl_ASCIIHexDecoder.cc
+@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
+ 
+     QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
+ 	    (this->pos == 2) ? 0 : 1);
+-    getNext()->write(&ch, 1);
+-
++    // Reset before calling getNext()->write in case that throws an
++    // exception.
+     this->pos = 0;
+     this->inbuf[0] = '0';
+     this->inbuf[1] = '0';
+     this->inbuf[2] = '\0';
++
++    getNext()->write(&ch, 1);
+ }
+ 
+ void
+diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
+index 8077092a..c35619b8 100644
+--- a/libqpdf/Pl_Count.cc
++++ b/libqpdf/Pl_Count.cc
+@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
+     if (len)
+     {
+ 	this->m->count += QIntC::to_offset(len);
+-	getNext()->write(buf, len);
+ 	this->m->last_char = buf[len - 1];
++	getNext()->write(buf, len);
+     }
+ }
+ 
diff -Nru qpdf-9.1.1/debian/patches/series qpdf-9.1.1/debian/patches/series
--- qpdf-9.1.1/debian/patches/series	2020-01-27 02:08:43.000000000 +0000
+++ qpdf-9.1.1/debian/patches/series	2021-07-28 13:06:07.000000000 +0000
@@ -0,0 +1 @@
+CVE-2021-36978.patch