CVE-2025-52885

Sync changes to SLFO-1.2 branch
2025-10-14 14:19:39 +02:00 · 2025-08-20 10:45:03 +02:00
10 changed files with 123 additions and 90 deletions
--- a/poppler-25.04.0.tar.xz
+++ b/poppler-25.04.0.tar.xz
--- a/poppler-25.04.0.tar.xz.sig
+++ b/poppler-25.04.0.tar.xz.sig
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEyiYsbIPeTS+yijMqOmpNuDnqptcFAmfsaScACgkQOmpNuDnq
+ptesAg/+N5CZL+UnoPHVEcnM8L5pej/mKlSUkp9QAeqZgDnSerrMdVVDJz9O7BOl
+eQRv8Fhy3OArKx2L8zl8t1tY/GiCvjbQQoOG7sgqTGQBFZjA5ZqLPVO3tc316rH2
+qsH6vInUJ0xUff9JHEvjx56UcmrFpNYiSBkt55tS/3xo8TN/gat0pX/ZuKggDhw+
+kPtpBbeqfu4Cah12buU8aRa77qZfdBhQP+FcgqLFN8Edt8Poqs25T6PHqMHffPqO
+kHddHBMm1zVptlVHwlu97nFdhX8UEexHmQX2EszBJf6GkNpppC1NCMbNEY+BOs+r
+vDSBYz7oc200fbqmylBYg71N9e0fo/qBnxd1BKd7lxLgF326qA5DqylCFmggFyWg
+gzDGq8UGkx9ZylfyBqiDq3fUom+k8dIXvvaeta+5cW2KxtEhSInTeH0l0wAyDBdj
+hDz8obuffzkZ6zeS+b6MKc8XDUwCVdwCqHG6BTQMkxAyIfr2azVIyrpWd5kMwlik
+hMeKu7t7W0Xnr6z7tQZW7E3zbouizugk//b1kM3ZEuG74OqxIdgq+VM3NWSGjiz+
+Fvrb5R+K0gtZnume8d+t8b2SVcMH2eXWSk6V3DBHKXdq8BEV+E1FvrOqPt1i6LJI
+ooSsI8XEZqTzrOwlP/2/n6JhjhoG5Sc46ON4Py0skGnnpECkr64=
+=MmPd
+-----END PGP SIGNATURE-----
--- a/poppler-25.08.0.tar.xz
+++ b/poppler-25.08.0.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:425ed4d4515a093bdcdbbaac6876f20617451edc710df6a4fd6c45dd67eb418d
-size 1975316
--- a/poppler-25.08.0.tar.xz.sig
+++ b/poppler-25.08.0.tar.xz.sig
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEyiYsbIPeTS+yijMqOmpNuDnqptcFAmiPlqMACgkQOmpNuDnq
-pteR9xAAmaaN4eJjIh5lMZufOQGFTcyCd8261lpC7GS3zuKhUU5pJ4JgM9P11QDG
-vbdP8CyQtwypx4gwTk8E9AYab2yaerOInJhOfxPqM6g62Ci8FbdZai2cS4FxbYiW
-ZVi1aVOeXAuY0O3Ff5sXRD1pV8sNVINLXtuNVD0C6JVP5fdXKOAL2dX2CsCC5cjN
-GtLhs9ibiX8zyPjTgOS7Hg//iGiXuUjY+IC/W6vnaU/97pf7qhDm7CstqAaUO447
-0fJkMZSeVwdSUmcHpW4F5Om3PiAY+9DRs8SlonaMrdHruBV67f03xU2ZAnJQ4615
-JpJG5iYADCNZ9QjQgtZZ2d5pkyHWfPyjjfjjFnRnfvGYWQJZsLV1bcXNo+NvjCAK
-DTnyLPp15NKXighBXGKB5ffa4hPbhiC+WpQ++2k83bkELlIrFw61xib2L4CpNCl4
-ZcJ0kNBmgKMmS4dIyu2FB5a2BJMGY8JUvdo834U167ne8ZrdlTFIXWsF/sScIVhs
-3u7xuLuhpOEXIBApH7riicX87utjPNv56c9tEn2YqRf6VxgyYjX7Yn1rQSvN39sW
-PdA1Wx6dkB9sXkoePniC6C6rEbrSen37TalWGR7MwGzrPxAx2VQGr7xrl7CiZ7zf
-hDaNn7/NMiLOV/MfyJ1gppxXN5t9vbaPcrwPmfyUTaa+4HwBVs8=
-=6g5w
-----END PGP SIGNATURE-----
--- a/poppler-CVE-2025-52885.patch
+++ b/poppler-CVE-2025-52885.patch
@@ -0,0 +1,27 @@
+From 4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 3 Sep 2025 14:36:54 +0100
+Subject: [PATCH] Check for duplicate entries
+
+---
+ poppler/StructTreeRoot.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/poppler/StructTreeRoot.cc b/poppler/StructTreeRoot.cc
+index eb46147bd1..fc7bf4ceb0 100644
+--- a/poppler/StructTreeRoot.cc
+++ b/poppler/StructTreeRoot.cc
+@@ -136,6 +136,10 @@ void StructTreeRoot::parseNumberTreeNode(const Dict &node)
+                 }
+                 int keyVal = key.getInt();
+                 std::vector<Parent> &vec = parentTree[keyVal];
+                if (!vec.empty()) {
+                    error(errSyntaxError, -1, "Nums item at position {0:d} is a duplicate entry for key {1:d}", i, keyVal);
+                    continue;
+                }
+ 
+                 Object valueArray = nums.arrayGet(i + 1);
+                 if (valueArray.isArray()) {
+-- 
+GitLab
+
--- a/poppler-CVE-2025-52886.patch
+++ b/poppler-CVE-2025-52886.patch
@@ -0,0 +1,52 @@
+From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
+From: Sune Vuorela <sune@vuorela.dk>
+Date: Tue, 3 Jun 2025 00:35:19 +0200
+Subject: [PATCH] Limit ammount of annots per document/page
+
+---
+ poppler/Annot.cc |  4 ++++
+ poppler/Page.cc  | 16 ++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+Index: poppler-25.04.0/poppler/Annot.cc
+===================================================================
+--- poppler-25.04.0.orig/poppler/Annot.cc
+++ poppler-25.04.0/poppler/Annot.cc
+@@ -1674,6 +1674,10 @@ void Annot::removeReferencedObjects()
+ 
+ void Annot::incRefCnt()
+ {
+    if (refCnt > 100000) {
+      error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
+      return;
+    }
+     refCnt++;
+ }
+ 
+Index: poppler-25.04.0/poppler/Page.cc
+===================================================================
+--- poppler-25.04.0.orig/poppler/Page.cc
+++ poppler-25.04.0/poppler/Page.cc
+@@ -297,6 +297,22 @@ Page::Page(PDFDoc *docA, int numA, Objec
+         goto err2;
+     }
+ 
+    if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
+        error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
+        goto err2;
+    }
+    if (annotsObj.isRef()) {
+        auto resolvedObj = getAnnotsObject();
+        if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
+            error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
+            goto err2;
+        }
+        if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
+            error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
+            goto err2;
+        }
+    }
+
+     // contents
+     contents = pageObj.dictLookupNF("Contents").copy();
+     if (!(contents.isRef() || contents.isArray() || contents.isNull())) {
--- a/poppler.changes
+++ b/poppler.changes
@@ -1,64 +1,18 @@
 -------------------------------------------------------------------
-Tue Aug  5 09:57:10 UTC 2025 - pgajdos@suse.com
+Tue Oct 14 09:33:22 UTC 2025 - pgajdos@suse.com

- version update to 25.08.0
-  + core:
-     * FormWidgetSignature::signDocumentWithAppearance: add imagePath parameter
-     * Fix parsing Distinguished Names that end with a hex string
-     * Fix crashes in malformed documents
-  + glib:
-     * Add poppler_page_render_transparent_selection()
-     * Add missing since to the documentation
- fixes CVE-2025-50420 [bsc#1247590]
+- security update
+- added patches
+  CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized
+  * poppler-CVE-2025-52885.patch

 -------------------------------------------------------------------
-Fri Jul 25 12:06:57 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+Fri Jul  4 14:09:05 UTC 2025 - pgajdos@suse.com

- Do not build the qt5 flavor in SLE16.
-
-------------------------------------------------------------------
-Thu Jul 10 09:06:55 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
-
- Update to version 25.07.0:
-  + core:
-    - Changed rendering of malformed documents to mimic what Adobe
-      Reader does
-    - Improvemenst in signature validation in the NSS backend
-    - Add more detailed output when signing fails
-    - Internal code improvements
-    - Fix crashes in malformed documents
-  + utils: pdfsig: command line option for allowing PGP signatures
-    in GnuPG backend
- Bump sover following upstream changes.
-
-------------------------------------------------------------------
-Thu Jul  3 08:46:24 UTC 2025 - pgajdos@suse.com
-
- version update to 25.06.0 [bsc#1245625] (CVE-2025-52886)
-  Release 25.06.0:
-    core:
-     * Fix writing dates back to file
-     * Internal code improvements
-     * Fix crashes in malformed documents
-    glib:
-     * Add the ink annotation type
-     * Add missing autopointers definitions
-    utils:
-     * pdfsig: Add assert-signer feature
-     * pdfsig: Return error code on error
-  Release 25.05.0:
-    core:
-     * Fix re-fetching after xref reconstruction. Issue #1584
-     * Fix compilation with ENABLE_ZLIB_UNCOMPRESS=ON
-     * Various annotation improvements. Issues #642, #1558, #1055
-     * CairoFontEngine: invalidate broken embedded fonts. Issue #1453
-     * Splash: Performance improvements
-     * Internal code improvements
-    glib:
-     * Small signature improvements
- modified patches
-  % reduce-boost-required-version.patch (refreshed)
-  % reduce-libtiff-required-version.patch (refreshed)
+- security update
+- added patches
+  CVE-2025-52886 [bsc#1245625], use of 32-bit `std::atomic_int` for reference counting can lead to an integer overflow and trigger a use-after-free
+  + poppler-CVE-2025-52886.patch

 -------------------------------------------------------------------
 Mon Apr  7 10:46:03 UTC 2025 - pgajdos@suse.com
--- a/poppler.spec
+++ b/poppler.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package poppler
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
 %endif
 # Actual version of poppler-data:
 %define poppler_data_version 0.4.11
-%define poppler_sover 152
+%define poppler_sover 148
 %define poppler_cpp_sover 2
 %define poppler_glib_sover 8
 %define poppler_qt5_sover 1
@@ -32,7 +32,7 @@
 %define poppler_api 0.18
 %define poppler_apipkg 0_18
 Name:           poppler%{?psuffix}
-Version:        25.08.0
+Version:        25.04.0
 Release:        0
 Summary:        PDF Rendering Library
 License:        GPL-2.0-only OR GPL-3.0-only
@@ -44,6 +44,10 @@ Source90:       poppler.keyring
 Source99:       baselibs.conf
 Patch0:         reduce-boost-required-version.patch
 Patch1:         reduce-libtiff-required-version.patch
+# CVE-2025-52886 [bsc#1245625], use of 32-bit `std::atomic_int` for reference counting can lead to an integer overflow and trigger a use-after-free
+Patch2:         poppler-CVE-2025-52886.patch
+# CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized
+Patch3:         poppler-CVE-2025-52885.patch

 BuildRequires:  cmake >= 3.10
 BuildRequires:  gtk-doc
@@ -85,10 +89,6 @@ BuildRequires:  extra-cmake-modules
 %if "%{flavor}" == "qt6" && (0%{?suse_version} <= 1500 && 0%{?sle_version} <= 150300)
 ExclusiveArch:  do_not_build
 %endif
-# Don't build poppler-qt5 on SLE16
-%if "%{flavor}" == "qt5" && (0%{suse_version} == 1600 && ! 0%{?is_opensuse})
-ExclusiveArch:  do_not_build
-%endif
 %if "%{flavor}" == "qt5"
 BuildRequires:  pkgconfig(Qt5Core) >= 5.9
 BuildRequires:  pkgconfig(Qt5Gui)
--- a/reduce-boost-required-version.patch
+++ b/reduce-boost-required-version.patch
@@ -1,8 +1,8 @@
-Index: poppler-25.06.0/CMakeLists.txt
+Index: poppler-24.12.0/CMakeLists.txt
 ===================================================================
--- poppler-25.06.0.orig/CMakeLists.txt
-+++ poppler-25.06.0/CMakeLists.txt
-@@ -232,7 +232,7 @@ add_definitions(-DQT_NO_KEYWORDS)
+--- poppler-24.12.0.orig/CMakeLists.txt
+++ poppler-24.12.0/CMakeLists.txt
+@@ -227,7 +227,7 @@ find_soft_mandatory_package(ENABLE_QT6 Q
 # Check for Cairo rendering backend
 macro_optional_find_package(Cairo ${CAIRO_VERSION})
 
--- a/reduce-libtiff-required-version.patch
+++ b/reduce-libtiff-required-version.patch
@@ -1,8 +1,8 @@
-Index: poppler-25.06.0/CMakeLists.txt
+Index: poppler-24.12.0/CMakeLists.txt
 ===================================================================
--- poppler-25.06.0.orig/CMakeLists.txt
-+++ poppler-25.06.0/CMakeLists.txt
-@@ -169,7 +169,7 @@ endmacro()
+--- poppler-24.12.0.orig/CMakeLists.txt
+++ poppler-24.12.0/CMakeLists.txt
+@@ -168,7 +168,7 @@ endmacro()
 
 find_soft_mandatory_package(ENABLE_NSS3 NSS3 3.68)
 find_soft_mandatory_package(ENABLE_GPGME Gpgmepp 1.19)
Author	SHA256	Message	Date
Petr Gajdos	fec2b196a6	CVE-2025-52885	2025-10-14 14:19:39 +02:00
Adrian Schröter	ae9d84a8ba	Sync changes to SLFO-1.2 branch	2025-08-20 10:45:03 +02:00