Control: tags 1117853 + patch Control: tags 1117853 + pending
Dear maintainer, I've prepared an NMU for poppler (versioned as 25.03.0-11.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should cancel it. Regards, Salvatore
diffstat for poppler-25.03.0 poppler-25.03.0 changelog | 7 +++++++ patches/Check-for-duplicate-entries.patch | 29 +++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 37 insertions(+) diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog --- poppler-25.03.0/debian/changelog 2025-10-11 10:49:45.000000000 +0200 +++ poppler-25.03.0/debian/changelog 2025-10-12 20:30:50.000000000 +0200 @@ -1,3 +1,10 @@ +poppler (25.03.0-11.1) unstable; urgency=medium + + * Non-maintainer upload. + * Check for duplicate entries (CVE-2025-52885) (Closes: #1117853) + + -- Salvatore Bonaccorso <[email protected]> Sun, 12 Oct 2025 20:30:50 +0200 + poppler (25.03.0-11) unstable; urgency=medium * Enable poppler-qt6 on x32 diff -Nru poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch --- poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch 1970-01-01 01:00:00.000000000 +0100 +++ poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch 2025-10-12 20:30:05.000000000 +0200 @@ -0,0 +1,29 @@ +From: Kevin Backhouse <[email protected]> +Date: Wed, 3 Sep 2025 14:36:54 +0100 +Subject: Check for duplicate entries +Origin: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0 +Bug-Debian: https://bugs.debian.org/1117853 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-52885 + +--- + poppler/StructTreeRoot.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/poppler/StructTreeRoot.cc b/poppler/StructTreeRoot.cc +index eb46147bd1cd..fc7bf4ceb05a 100644 +--- a/poppler/StructTreeRoot.cc ++++ b/poppler/StructTreeRoot.cc +@@ -136,6 +136,10 @@ void StructTreeRoot::parseNumberTreeNode(const Dict &node) + } + int keyVal = key.getInt(); + std::vector<Parent> &vec = parentTree[keyVal]; ++ if (!vec.empty()) { ++ error(errSyntaxError, -1, "Nums item at position {0:d} is a duplicate entry for key {1:d}", i, keyVal); ++ continue; ++ } + + Object valueArray = nums.arrayGet(i + 1); + if (valueArray.isArray()) { +-- +2.51.0 + diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series --- poppler-25.03.0/debian/patches/series 2025-10-11 10:38:22.000000000 +0200 +++ poppler-25.03.0/debian/patches/series 2025-10-12 20:30:11.000000000 +0200 @@ -4,3 +4,4 @@ CVE-2025-43903.patch CVE-2025-52886.patch CVE-2025-50420.patch +Check-for-duplicate-entries.patch
