XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.


Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>

* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine

diffstat for poppler-22.12.0 poppler-22.12.0

changelog | 10 +
patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch | 41 +++++
patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch | 73 ++++++++++
patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch | 25 +++
patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch | 37 +++++
patches/series | 4
6 files changed, 190 insertions(+)

diff -Nru poppler-22.12.0/debian/changelog poppler-22.12.0/debian/changelog
--- poppler-22.12.0/debian/changelog 2023-01-10 23:36:05.000000000 +0200
+++ poppler-22.12.0/debian/changelog 2025-04-12 21:26:36.000000000 +0300
@@ -1,3 +1,13 @@
+poppler (22.12.0-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-34872: OutlineItem::open crash on malformed files
+ * CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
+ * CVE-2025-32364: Floating point exception in PSStack::roll
+ * CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
+
+ -- Adrian Bunk <bunk@debian.org> Sat, 12 Apr 2025 21:26:36 +0300
+
poppler (22.12.0-2) unstable; urgency=medium

* Team upload
diff -Nru poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
--- poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch 1970-01-01 02:00:00.000000000 +0200
+++ poppler-22.12.0/debian/patches/0001-OutlineItem-o

XPost: linux.debian.devel.release

Hi,

Am 28.04.25 um 11:52 schrieb Adrian Bunk:

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>

* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine

What about https://security-tracker.debian.org/tracker/CVE-2025-43903 ("NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries."). If one is at it for
bookworm anyway..


Regards,


Rene

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Mon, Apr 28, 2025 at 06:47:27PM +0200, Rene Engelhard wrote:

Hi,

Hi Rene,

Am 28.04.25 um 11:52 schrieb Adrian Bunk:

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>

* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine

What about https://security-tracker.debian.org/tracker/CVE-2025-43903 ("NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries."). If one is at it for

bookworm anyway..

you missed the last line I've added there earlier today:
Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3

Regards,

Rene

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

[ CCing the inkscape maintainer, too ]


Hi,

Am 28.04.25 um 20:25 schrieb Adrian Bunk:

you missed the last line I've added there earlier today:
Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3

Indeed I missed it. (Actually didn't look at the contents when I wrote the mail, just looked up the URL) [1]


Unfortunately the links there don't work, but "version update" makes me wary, as applying a security patch is not really a "version update". Or it's just badly formulated.

TTBOMK inkscape didn't regress with https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ (did it? at least no inkscape update since then)...

Poppler version updates break all the time, indeed.


But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe the inkscape maintainer can help here.


Regards,


Rene

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Mon, Apr 28, 2025 at 02:45:57PM -0400, Jeremy Bícha wrote:

On Mon, Apr 28, 2025 at 2:39 PM Rene Engelhard <rene@debian.org> wrote:

Am 28.04.25 um 20:25 schrieb Adrian Bunk:

you missed the last line I've added there earlier today:
Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3

Indeed I missed it. (Actually didn't look at the contents when I wrote the mail, just looked up the URL) [1]

Unfortunately the links there don't work, but "version update" makes me wary, as applying a security patch is not really a "version update". Or it's just badly formulated.

TTBOMK inkscape didn't regress with https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ (did it? at least no inkscape update since then)...

Poppler version updates break all the time, indeed.

But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe the inkscape maintainer can help here.

Adrian, could you be more verbose about what you think might be incompatible?

I don't know more than what is in the SUSE Bugzilla.

Thank you,
Jeremy Bícha

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Mon, Apr 28, 2025 at 08:35:58PM +0200, Rene Engelhard wrote:

[ CCing the inkscape maintainer, too ]

Hi,

Hi Rene,

Am 28.04.25 um 20:25 schrieb Adrian Bunk:

you missed the last line I've added there earlier today:
Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3

Indeed I missed it. (Actually didn't look at the contents when I wrote the mail, just looked up the URL) [1]

Unfortunately the links there don't work, but "version update" makes me wary, as applying a security patch is not really a "version update". Or it's just badly formulated.

I know as much as you know about that entry.

TTBOMK inkscape didn't regress with https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ (did it? at least no inkscape update since then)...

Poppler version updates break all the time, indeed.

But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe the inkscape maintainer can help here.

And who knows how likely "Not sure there is any other problem" is.

I will not try to fix this CVE at this point in time, but this does not
prevent other people from working on it if anyone disagrees.

Regards,

Rene

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Monday, April 28, 2025 10:11:44 PM CEST Adrian Bunk wrote:

Am 28.04.25 um 20:25 schrieb Adrian Bunk:

you missed the last line I've added there earlier today:
Might cause regression:
https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3>

Indeed I missed it. (Actually didn't look at the contents when I wrote the mail, just looked up the URL) [1]

But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe the inkscape maintainer can help here.

And who knows how likely "Not sure there is any other problem" is.

I will not try to fix this CVE at this point in time, but this does not prevent other people from working on it if anyone disagrees.

While wearing my quite frequent upstream poppler contributor hat, there is no way the fix in the NSS backend signature validation code can do any regressions
in inkscape.
Inkscape does not do any validation of signed documents, it doesn't call any validation related functions.

I guess suse isn't just backporting the quite trivial patch but rather bumping to a new poppler upstream version which comes with loads of changes to internal poppler api (that inkscape and others unfortunately uses)

/Sune
- probably the one who did most poppler code churn over the last couple of years
--
I didn’t stop pretending when I became an adult, it’s just that when I was a
kid I was pretending that I fit into the rules and structures of this world. And now that I’m an adult, I pretend that those rules and structures exist.
- zefrank

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Mon, Apr 28, 2025 at 12:52:50PM +0300, Adrian Bunk wrote:

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>

* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine

Updated debdiff attached, the only change is the addition of closing
bugs in the changelog.

cu
Adrian

diffstat for poppler-22.12.0 poppler-22.12.0

changelog | 14 +
patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch | 41 +++++
patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch | 73 ++++++++++
patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch | 25 +++
patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch | 37 +++++
patches/series | 4
6 files changed, 194 insertions(+)

diff -Nru poppler-22.12.0/debian/changelog poppler-22.12.0/debian/changelog
--- poppler-22.12.0/debian/changelog 2023-01-10 23:36:05.000000000 +0200
+++ poppler-22.12.0/debian/changelog 2025-04-12 21:26:36.000000000 +0300
@@ -1,3 +1,17 @@
+poppler (22.12.0-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-34872: OutlineItem::open crash on malformed files
+ (Closes: #1042811)
+ * CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
+ (Closes: #1091322)
+ * CVE-2025-32364: Floating point exception in PSStack::roll
+ (Closes: #1102190)
+ * CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
+ (Closes: #1102191)
+
+ -- Adrian Bunk <bunk@debian.org> Sat, 12 Apr 2025 21:26:36 +0300
+
poppler (22.12.0-2) unstable; urgency=medium

* Team upload
diff -Nru poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
--- poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-fi

XPost: linux.debian.devel.release

package release.debian.org
tags 1104287 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: poppler
Version: 22.12.0-2+deb12u1

Explanation: fix crash on malformed files [CVE-2023-34872]; fix out-of-bounds read issues [CVE-2024-56378 CVE-2025-32365]; fix floating point exception issue [CVE-2025-32364]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)