Your message dated Thu, 11 Jun 2026 20:48:38 +0000
with message-id <[email protected]>
and subject line Bug#1138708: fixed in poppler 22.12.0-2+deb12u2
has caused the Debian Bug report #1138708,
regarding poppler: CVE-2026-10118
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138708: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138708
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: poppler
Version: 26.01.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for poppler.
CVE-2026-10118[0]:
| A flaw was found in Poppler's Splash backend. A remote attacker
| could exploit this vulnerability by crafting a malicious PDF file
| that, when rendered, triggers an integer overflow in the
| `tilingPatternFill` function. This overflow leads to an undersized
| heap memory allocation, allowing a subsequent out-of-bounds write.
| Successful exploitation could result in arbitrary code execution,
| information disclosure, or denial of service within the context of
| the application processing the PDF.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10118
https://www.cve.org/CVERecord?id=CVE-2026-10118
[1] https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
[2]
https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 22.12.0-2+deb12u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Jun 2026 15:00:14 +0200
Source: poppler
Architecture: source
Version: 22.12.0-2+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian freedesktop.org maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1117046 1117853 1138708
Changes:
poppler (22.12.0-2+deb12u2) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Make sure regex doesn't stack overflow by limiting it (CVE-2025-43718)
(Closes: #1117046)
* Check for duplicate entries (CVE-2025-52885) (Closes: #1117853)
* SplashOutputDev: Fix integer overflow in tilingPatternFill (CVE-2026-10118)
(Closes: #1138708)
Checksums-Sha1:
4116288d991eba62296630a24681f71f8f08399f 3641 poppler_22.12.0-2+deb12u2.dsc
28bba6fd877ada1629d5e093d7b1d3701a6bb36f 1845856 poppler_22.12.0.orig.tar.xz
cd931aeda929739e6bc9e4e08c8a0d70fb684f12 40648
poppler_22.12.0-2+deb12u2.debian.tar.xz
2de502f143869928383125ba7d9cf6a87110dbe8 6752
poppler_22.12.0-2+deb12u2_source.buildinfo
Checksums-Sha256:
7414799e91fc1fde389c24aacfc811ae5676d4be713be085870bfe978621bb88 3641
poppler_22.12.0-2+deb12u2.dsc
d9aa9cacdfbd0f8e98fc2b3bb008e645597ed480685757c3e7bc74b4278d15c0 1845856
poppler_22.12.0.orig.tar.xz
fd5bc595a83f013adfc9f576ccf5184b398ba33aca889cef7c09cb5736c5862f 40648
poppler_22.12.0-2+deb12u2.debian.tar.xz
ae22eaaaed523ddc654a74850c149ae40d1e8a2dd6498a78049422880fa1ad37 6752
poppler_22.12.0-2+deb12u2_source.buildinfo
Files:
73aca07092107e88f2d8e00f38b49b9a 3641 devel optional
poppler_22.12.0-2+deb12u2.dsc
39b6a69eceba6adb8afbcee8d47385fd 1845856 devel optional
poppler_22.12.0.orig.tar.xz
2b985eefb7ecbcc603656f857e1c7be1 40648 devel optional
poppler_22.12.0-2+deb12u2.debian.tar.xz
5349c2ed29141bfe6e2b404830686070 6752 devel optional
poppler_22.12.0-2+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmokO+hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ETTEP/iOGW9NSZgrjL1LwHhI4t1LpP3yMLzCk
jhvdX3leuWrbhs9opgADvW6v6B2Y6dNfysE8W8jwl24GIHeQ6pF1adeGwxTNcYsA
SYt61Hia+CBd1bgNCYljv5EzfZzsbomuB0JmJt0YQxV+/usbjoygzG/8zwzOZb61
7fIwEaoqK1HhcIlscA3XMBYNBYIGsm1cck37YMM6hqEwEAPRusTUUMjoY5JZOjYa
ABl1EIy3CGeTynaGxclQN014xjZWsahSKrE3ftJG6BjawpR8slZ6wSqcGxaaveE2
XTXRDfw9kwTYmxLr/iLx+jqSMREMoLZc0t/84qUnV2k3VE9E8EfBRtjlC/VRYMOG
shWvhEmlla2TH0klLQK0erzMHpWaOTTm9IPA3Lu1iGkZju12nEvF154qZcbt07Y7
uit59VWKlqIJGD4WmN5StliVZ1Fpe5BsSBnmlDn4z3oVV9E0sLn9/FNL31Q37+Bp
6Pjja+giJPW47ibZTuFEADUwTvOyt2EybIvcRBcXrNQ25weZvS+g8ff7LLySMK/G
NoYBmeAWGm98nGSgDvx+OXdMKK85mn4ypgguFb80wmG8Deeur+fX4kzfNg6hAFd4
gqnApQ7tkUscgulJsvbdCglM8DbIKI78JA6bsK079AMbEdqZy7Q0AjLfqp7rneO+
a9O6kD+oMROw
=E49I
-----END PGP SIGNATURE-----
pgpDCDpSazhAp.pgp
Description: PGP signature
--- End Message ---
