Your message dated Mon, 07 Apr 2025 15:38:05 +0000
with message-id <[email protected]>
and subject line Bug#1102191: fixed in poppler 25.03.0-3
has caused the Debian Bug report #1102191,
regarding poppler: CVE-2025-32365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102191
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: poppler
Version: 25.03.0-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1577
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for poppler.
CVE-2025-32365[0]:
| Poppler before 25.04.0 allows crafted input files to trigger out-of-
| bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
| because of a misplaced isOk check.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32365
https://www.cve.org/CVERecord?id=CVE-2025-32365
[1] https://gitlab.freedesktop.org/poppler/poppler/-/issues/1577
[2] https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1792
[3]
https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 25.03.0-3
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 07 Apr 2025 11:11:10 -0400
Source: poppler
Built-For-Profiles: noudeb
Architecture: source
Version: 25.03.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian freedesktop.org maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1102190 1102191
Launchpad-Bugs-Fixed: 2106404
Changes:
poppler (25.03.0-3) unstable; urgency=high
.
* Team upload
* SECURITY UPDATE: floating-point exception vulnerability (Closes: #1102190)
- Cherry-pick upstream fix for the PSStack::roll function
in Function.cc
- CVE-2025-32364
* SECURITY UPDATE: out-of-bounds read vulnerability (Closes: #1102191)
- Cherry-pick upstream fix for the JBIG2Bitmap::combine function
in JBIG2Stream.cc (LP: #2106404)
- CVE-2025-32365
Checksums-Sha1:
baca1fae9ce2e401afbfa3b25b0899aa17fec319 3934 poppler_25.03.0-3.dsc
fe819d0fb836f79a176656aea56b944fba779cd3 40588 poppler_25.03.0-3.debian.tar.xz
0b4a64156fa522dafa0d03afd4acdbb3a6e5818d 16762
poppler_25.03.0-3_source.buildinfo
Checksums-Sha256:
160dc0ad33758ca34ceb29283c6cab14f79b8034c4afee3034a4154557c9d90a 3934
poppler_25.03.0-3.dsc
57f8c465d70450c204ceb0d794bdc2846431c4faf3bd861ec108866fea158c4e 40588
poppler_25.03.0-3.debian.tar.xz
f7fabd3cbf406c27acf82bf747c4df0943b7d852a0ac42eea5b1883306d15c8d 16762
poppler_25.03.0-3_source.buildinfo
Files:
9ec300749a2c4aa8cfd5372e64fb7f1a 3934 devel optional poppler_25.03.0-3.dsc
bf32c70c2ef604d71852f56c03dcf9e0 40588 devel optional
poppler_25.03.0-3.debian.tar.xz
78ca2045cef78a229b8803534c27f833 16762 devel optional
poppler_25.03.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmfz7hoACgkQ5mx3Wuv+
bH2fMA//Ulou2CydTb6hyFyN9hDNN1C3sLU52n8hCq8LbqHjiFWBIMCQJ3KPM3W3
s6/KS0YqCjB5WVoWO89nHamQdQpYW1RpFzHFQfhc9MFjTs3XnRG/p+X8K3jqnL/v
YYqD/0ZqI4a43BT1JxrexTvgN+PLZcPSUPZKbIcOyTDiZrykMUR+ON26X4NutEQ2
NkuzR17cw3WbFqCRYd9SqLd8nJr67fG67avFUz1bjGDvgjQ4SafB7BKykR3BnTm4
rSyz4ZPP4sSonbAHzbM567N2hdxUKd4xnVYkAsb1YpHb9r3WTLFNDEYk3HPV8QdM
vQxrUe5Qla9ZtRq0CR4/2GiuNDT1nl0kyD1EyuZ4F06k/meqz3S6JPyB4wVIzxgP
ze2bsQwNtIqpHxTeQYo4ff/kDCl4sobV3VH45DC8cx6IRlDR/nQLIiXtKzoJLQhQ
4BN+v9FNQCoe4HyHnVUDky2KoLUrNMub66oUpwc3sv3MUS2p38daBcwh/UZ8rndf
HiJilQk1BjCvCt3aU1ZJVch+pgqv00ErsDTaqHz17SzCDiBkHqPOM7FGwltTS6SS
o7t7y4kWHh3qds8SpZE/l9LoSSbwGyLV8SMwsoJvAgMcfBN7yY0ELkqL9NV0bLz7
2aigan+AxypRfwMjzrkTzgC440bsVGhwtVtUq0gdJ1S/gm9nRtg=
=tEBl
-----END PGP SIGNATURE-----
pgpLe9ZsvBhuJ.pgp
Description: PGP signature
--- End Message ---
