Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
On Mon, Apr 28, 2025 at 12:52:50PM +0300, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: secur...@debian.org, Debian freedesktop.org maintainers
>
>
> * CVE-2023-34872: OutlineItem::open crash on malformed files
> * CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
> * CVE-2025-32364: Floating point exception in PSStack::roll
> * CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
Updated debdiff attached, the only change is the addition of closing
bugs in the changelog.
cu
Adrian
diffstat for poppler-22.12.0 poppler-22.12.0
changelog | 14 +
patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch| 41
+
patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch | 73
++
patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch | 25 +++
patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch| 37
+
patches/series |4
6 files changed, 194 insertions(+)
diff -Nru poppler-22.12.0/debian/changelog poppler-22.12.0/debian/changelog
--- poppler-22.12.0/debian/changelog2023-01-10 23:36:05.0 +0200
+++ poppler-22.12.0/debian/changelog2025-04-12 21:26:36.0 +0300
@@ -1,3 +1,17 @@
+poppler (22.12.0-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-34872: OutlineItem::open crash on malformed files
+(Closes: #1042811)
+ * CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
+(Closes: #1091322)
+ * CVE-2025-32364: Floating point exception in PSStack::roll
+(Closes: #1102190)
+ * CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
+(Closes: #1102191)
+
+ -- Adrian Bunk Sat, 12 Apr 2025 21:26:36 +0300
+
poppler (22.12.0-2) unstable; urgency=medium
* Team upload
diff -Nru
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
---
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
1970-01-01 02:00:00.0 +0200
+++
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
2025-04-12 21:24:57.0 +0300
@@ -0,0 +1,41 @@
+From db4e10de064c6b8bddbcbcb042116c6d70ed1e35 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Wed, 17 May 2023 22:42:05 +0200
+Subject: OutlineItem::open: Fix crash on malformed files
+
+Fixes #1399
+---
+ poppler/Outline.cc | 10 +++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/Outline.cc b/poppler/Outline.cc
+index cbb6cb49..4c68be99 100644
+--- a/poppler/Outline.cc
b/poppler/Outline.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Marco Pesenti Gritti
+-// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid
++// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid
+ // Copyright (C) 2009 Nick Jones
+ // Copyright (C) 2016 Jason Crain
+ // Copyright (C) 2017 Adrian Johnson
+@@ -483,8 +483,12 @@ void OutlineItem::open()
+ {
+ if (!kids) {
+ Object itemDict = xref->fetch(ref);
+-const Object &firstRef = itemDict.dictLookupNF("First");
+-kids = readItemList(this, &firstRef, xref, doc);
++if (itemDict.isDict()) {
++const Object &firstRef = itemDict.dictLookupNF("First");
++kids = readItemList(this, &firstRef, xref, doc);
++} else {
++kids = new std::vector();
++}
+ }
+ }
+
+--
+2.30.2
+
diff -Nru
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
---
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
1970-01-01 02:00:00.0 +0200
+++
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
2025-04-12 21:24:57.0 +0300
@@ -0,0 +1,73 @@
+From 70ceae2d090bbc9935d938e9e1475bcd57781f5e Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 17 Dec 2024 18:59:01 +0100
+Subject: JBIG2Bitmap::combine: Fix crash on malformed files
+
+Fixes #1553
+---
+ poppler/JBIG2Stream.cc | 15 +--
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 77ffeb28..bdc51d0d 100644
+--- a/poppler/JBIG2Stream.cc
b/poppler/JBIG2Stream.cc
+@@ -765,7 +765,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
+
+ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int
combOp)
+ {
+-int x0, x1, y0, y1, xx, yy;
++int x0, x1, y0, y1, xx, yy, yyy;
+ unsigned char *srcPtr, *de
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
On Monday, April 28, 2025 10:11:44 PM CEST Adrian Bunk wrote: > > > Am 28.04.25 um 20:25 schrieb Adrian Bunk: > > > you missed the last line I've added there earlier today: > > >Might cause regression: > > >https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3> > > Indeed I missed it. (Actually didn't look at the contents when I wrote the > > mail, just looked up the URL) [1] > > But maybe the inkscape/poppler combo in bookworm breaks, didn't try... > > Maybe the inkscape maintainer can help here. > And who knows how likely "Not sure there is any other problem" is. > > I will not try to fix this CVE at this point in time, but this does not > prevent other people from working on it if anyone disagrees. > While wearing my quite frequent upstream poppler contributor hat, there is no way the fix in the NSS backend signature validation code can do any regressions in inkscape. Inkscape does not do any validation of signed documents, it doesn't call any validation related functions. I guess suse isn't just backporting the quite trivial patch but rather bumping to a new poppler upstream version which comes with loads of changes to internal poppler api (that inkscape and others unfortunately uses) /Sune - probably the one who did most poppler code churn over the last couple of years -- I didn’t stop pretending when I became an adult, it’s just that when I was a kid I was pretending that I fit into the rules and structures of this world. And now that I’m an adult, I pretend that those rules and structures exist. - zefrank
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
On Mon, Apr 28, 2025 at 08:35:58PM +0200, Rene Engelhard wrote: > [ CCing the inkscape maintainer, too ] > > > Hi, Hi Rene, > Am 28.04.25 um 20:25 schrieb Adrian Bunk: > > you missed the last line I've added there earlier today: > >Might cause regression: > > https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3 > > Indeed I missed it. (Actually didn't look at the contents when I wrote the > mail, just looked up the URL) [1] > > > Unfortunately the links there don't work, but "version update" makes me wary, > as applying a security patch is not really a "version update". Or it's just > badly formulated. I know as much as you know about that entry. > TTBOMK inkscape didn't regress with > https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ > (did it? at least no inkscape update since then)... > > Poppler version updates break all the time, indeed. > > > But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe > the inkscape maintainer can help here. And who knows how likely "Not sure there is any other problem" is. I will not try to fix this CVE at this point in time, but this does not prevent other people from working on it if anyone disagrees. > Regards, > > > Rene cu Adrian
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
On Mon, Apr 28, 2025 at 02:45:57PM -0400, Jeremy Bícha wrote: > On Mon, Apr 28, 2025 at 2:39 PM Rene Engelhard wrote: > > Am 28.04.25 um 20:25 schrieb Adrian Bunk: > > > you missed the last line I've added there earlier today: > > >Might cause regression: > > > https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3 > > > > Indeed I missed it. (Actually didn't look at the contents when I wrote the > > mail, just looked up the URL) [1] > > > > > > Unfortunately the links there don't work, but "version update" makes me > > wary, as applying a security patch is not really a "version update". Or > > it's just badly formulated. > > > > TTBOMK inkscape didn't regress with > > https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ > > (did it? at least no inkscape update since then)... > > > > Poppler version updates break all the time, indeed. > > > > > > But maybe the inkscape/poppler combo in bookworm breaks, didn't try... > > Maybe the inkscape maintainer can help here. > > Adrian, could you be more verbose about what you think might be incompatible? I don't know more than what is in the SUSE Bugzilla. > Thank you, > Jeremy Bícha cu Adrian
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
On Mon, Apr 28, 2025 at 2:39 PM Rene Engelhard wrote: > Am 28.04.25 um 20:25 schrieb Adrian Bunk: > > you missed the last line I've added there earlier today: > >Might cause regression: > > https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3 > > Indeed I missed it. (Actually didn't look at the contents when I wrote the > mail, just looked up the URL) [1] > > > Unfortunately the links there don't work, but "version update" makes me wary, > as applying a security patch is not really a "version update". Or it's just > badly formulated. > > TTBOMK inkscape didn't regress with > https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ > (did it? at least no inkscape update since then)... > > Poppler version updates break all the time, indeed. > > > But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe > the inkscape maintainer can help here. Adrian, could you be more verbose about what you think might be incompatible? Thank you, Jeremy Bícha
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
[ CCing the inkscape maintainer, too ] Hi, Am 28.04.25 um 20:25 schrieb Adrian Bunk: you missed the last line I've added there earlier today: Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3 Indeed I missed it. (Actually didn't look at the contents when I wrote the mail, just looked up the URL) [1] Unfortunately the links there don't work, but "version update" makes me wary, as applying a security patch is not really a "version update". Or it's just badly formulated. TTBOMK inkscape didn't regress with https://tracker.debian.org/ews/1640383/accepted-poppler-25030-4-source-into-unstable/ (did it? at least no inkscape update since then)... Poppler version updates break all the time, indeed. But maybe the inkscape/poppler combo in bookworm breaks, didn't try... Maybe the inkscape maintainer can help here. Regards, Rene
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
On Mon, Apr 28, 2025 at 06:47:27PM +0200, Rene Engelhard wrote:
> Hi,
Hi Rene,
> Am 28.04.25 um 11:52 schrieb Adrian Bunk:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bookworm
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc: secur...@debian.org, Debian freedesktop.org maintainers
> >
> >
> >* CVE-2023-34872: OutlineItem::open crash on malformed files
> >* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
> >* CVE-2025-32364: Floating point exception in PSStack::roll
> >* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
>
> What about https://security-tracker.debian.org/tracker/CVE-2025-43903
> ("NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
> adbe.pkcs7.sha1 signatures on documents, resulting in potential signature
> forgeries."). If one is at it for bookworm anyway..
you missed the last line I've added there earlier today:
Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3
> Regards,
>
>
> Rene
cu
Adrian
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
Hi,
Am 28.04.25 um 11:52 schrieb Adrian Bunk:
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian freedesktop.org maintainers
* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
What about https://security-tracker.debian.org/tracker/CVE-2025-43903
("NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
adbe.pkcs7.sha1 signatures on documents, resulting in potential signature
forgeries."). If one is at it for bookworm anyway..
Regards,
Rene
Bug#1104287: bookworm-pu: package poppler/22.12.0-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian freedesktop.org maintainers
* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
diffstat for poppler-22.12.0 poppler-22.12.0
changelog | 10 +
patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch| 41
+
patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch | 73
++
patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch | 25 +++
patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch| 37
+
patches/series |4
6 files changed, 190 insertions(+)
diff -Nru poppler-22.12.0/debian/changelog poppler-22.12.0/debian/changelog
--- poppler-22.12.0/debian/changelog2023-01-10 23:36:05.0 +0200
+++ poppler-22.12.0/debian/changelog2025-04-12 21:26:36.0 +0300
@@ -1,3 +1,13 @@
+poppler (22.12.0-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-34872: OutlineItem::open crash on malformed files
+ * CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
+ * CVE-2025-32364: Floating point exception in PSStack::roll
+ * CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
+
+ -- Adrian Bunk Sat, 12 Apr 2025 21:26:36 +0300
+
poppler (22.12.0-2) unstable; urgency=medium
* Team upload
diff -Nru
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
---
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
1970-01-01 02:00:00.0 +0200
+++
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
2025-04-12 21:24:57.0 +0300
@@ -0,0 +1,41 @@
+From db4e10de064c6b8bddbcbcb042116c6d70ed1e35 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Wed, 17 May 2023 22:42:05 +0200
+Subject: OutlineItem::open: Fix crash on malformed files
+
+Fixes #1399
+---
+ poppler/Outline.cc | 10 +++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/Outline.cc b/poppler/Outline.cc
+index cbb6cb49..4c68be99 100644
+--- a/poppler/Outline.cc
b/poppler/Outline.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Marco Pesenti Gritti
+-// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid
++// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid
+ // Copyright (C) 2009 Nick Jones
+ // Copyright (C) 2016 Jason Crain
+ // Copyright (C) 2017 Adrian Johnson
+@@ -483,8 +483,12 @@ void OutlineItem::open()
+ {
+ if (!kids) {
+ Object itemDict = xref->fetch(ref);
+-const Object &firstRef = itemDict.dictLookupNF("First");
+-kids = readItemList(this, &firstRef, xref, doc);
++if (itemDict.isDict()) {
++const Object &firstRef = itemDict.dictLookupNF("First");
++kids = readItemList(this, &firstRef, xref, doc);
++} else {
++kids = new std::vector();
++}
+ }
+ }
+
+--
+2.30.2
+
diff -Nru
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
---
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
1970-01-01 02:00:00.0 +0200
+++
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
2025-04-12 21:24:57.0 +0300
@@ -0,0 +1,73 @@
+From 70ceae2d090bbc9935d938e9e1475bcd57781f5e Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 17 Dec 2024 18:59:01 +0100
+Subject: JBIG2Bitmap::combine: Fix crash on malformed files
+
+Fixes #1553
+---
+ poppler/JBIG2Stream.cc | 15 +--
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 77ffeb28..bdc51d0d 100644
+--- a/poppler/JBIG2Stream.cc
b/poppler/JBIG2Stream.cc
+@@ -765,7 +765,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
+
+ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int
combOp)
+ {
+-int x0, x1, y0, y1, xx, yy;
++int x0, x1, y0, y1, xx, yy, yyy;
+ unsigned char *srcPtr, *destPtr;
+ unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+ bool oneByte;
+@@ -812,14 +812,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x,
int y, unsigned int combOp
+ oneByte = x0 == ((x1 - 1) & ~7);
+
+ for (yy = y0; yy < y1; ++yy) {
+-if
