Your message dated Tue, 02 Jun 2026 21:08:52 +0000
with message-id <[email protected]>
and subject line Bug#1138708: fixed in poppler 26.01.0-4.1
has caused the Debian Bug report #1138708,
regarding poppler: CVE-2026-10118
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138708: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138708
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: poppler
Version: 26.01.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for poppler.
CVE-2026-10118[0]:
| A flaw was found in Poppler's Splash backend. A remote attacker
| could exploit this vulnerability by crafting a malicious PDF file
| that, when rendered, triggers an integer overflow in the
| `tilingPatternFill` function. This overflow leads to an undersized
| heap memory allocation, allowing a subsequent out-of-bounds write.
| Successful exploitation could result in arbitrary code execution,
| information disclosure, or denial of service within the context of
| the application processing the PDF.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10118
https://www.cve.org/CVERecord?id=CVE-2026-10118
[1] https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
[2]
https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 26.01.0-4.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 19:08:52 +0200
Source: poppler
Architecture: source
Version: 26.01.0-4.1
Distribution: unstable
Urgency: medium
Maintainer: Debian freedesktop.org maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1138708
Changes:
poppler (26.01.0-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* SplashOutputDev: Fix integer overflow in tilingPatternFill (CVE-2026-10118)
(Closes: #1138708)
Checksums-Sha1:
495d7fc08727130a230d2fcf0ca5f5f36b24fb5e 3941 poppler_26.01.0-4.1.dsc
9985d85458439666f25ac59e2092dbcdd69c1519 41236
poppler_26.01.0-4.1.debian.tar.xz
028e3a12bc91da935dac0f3aa9317d28785da4c0 6714
poppler_26.01.0-4.1_source.buildinfo
Checksums-Sha256:
90225a46a42873959de153a5df9c204ba1cfcc2decaedd00d84602531be18d33 3941
poppler_26.01.0-4.1.dsc
adf3105a63a764d0c0bd610cc0ea0a92af6bb7fdd7c14ff783317983bc8ff979 41236
poppler_26.01.0-4.1.debian.tar.xz
4f465c0f5a226c7afe48429e910f4db00ff323b52eafb3137fd391d86c78061d 6714
poppler_26.01.0-4.1_source.buildinfo
Files:
221dde09dd30ea7731bd229d92579c0c 3941 devel optional poppler_26.01.0-4.1.dsc
d06b1c91891f1930e393b2bb5b717c79 41236 devel optional
poppler_26.01.0-4.1.debian.tar.xz
2870a16649c749ba28301186ceed8f9e 6714 devel optional
poppler_26.01.0-4.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmofP1lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EMLgP/3UMYOhEaeyQNU3N8bsPBfAruXUGwCVx
atXSOpsrKVtrKSfp4X0gA7KwLLK1tAgeh/L4SFMq+f7rigRZLP2gdEyyK3arWJqN
hkbUzAzw+MU3EQARDPp0jOLb96YxV2cn1FnuLqIdH4dvNgr2C48ZPMWE30EHdo54
+BlySZ6HvY8txCNId4XE2UWbxF1O5RmgyD4v5CqVLdh18+Oz+u/FMr9LO8P61J7o
KHErIoxecA1KqRAO+3kIu5o+6d54gWusV2q54BTOc2jkM97Cxrid9m5VVw7kewCj
3RbIAa7LR8qxrlILCPeEG+1TM+02tOMdQRjmIKqdnAQZ5T+/nABDFY7A/oX0gUyd
RE3nRCBJjToivbaxFs13MhEgHwLRrj7xJidW85rrvysukORWHRYWfGbtergMdFsz
F7UWrIufouKkGTViEmL/Jgh/fyWgpJPrwtZv4U+7YVpLQuKuwX66QSLjLVYLxm/p
HH4D40fDTV5k47+lK1AHY19/uxSZ3ErG8/PiT4E+VhoF9van3caJ96v/r/3RWIgV
n3Asjlddnqdz3ULrI8MctHrM4gvy0TaOv8btAWzFs0lIM6AaJ9metUVn+iyARHy4
znJ6Hi3jV9LoErHZjEKATIWDBc/kBOirmPGdg6FLEYyAdLdQnuEmuFocjv7gNjLO
I2JNGl5F/7g7
=ZLdY
-----END PGP SIGNATURE-----
pgpL0uYyQm6Bl.pgp
Description: PGP signature
--- End Message ---
