pool/poppler
SHA256
19
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
...
pull from: pool:slfo-main
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2

3 Commits
factory ... slfo-main

Author SHA256 Message Date
Petr Gajdos
141f1b63c6 - security update 2025-12-08 14:26:11 +01:00
Petr Gajdos
63f0774fd1 CVE-2025-50420 and CVE-2025-52885 2025-10-20 15:49:35 +02:00
Adrian Schröter
ae9d84a8ba Sync changes to SLFO-1.2 branch 2025-08-20 10:45:03 +02:00
12 changed files with 269 additions and 84 deletions
Expand all files Collapse all files

BIN
poppler-25.04.0.tar.xz LFS Normal file
View File

Binary file not shown.

16
poppler-25.04.0.tar.xz.sig Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEyiYsbIPeTS+yijMqOmpNuDnqptcFAmfsaScACgkQOmpNuDnq
ptesAg/+N5CZL+UnoPHVEcnM8L5pej/mKlSUkp9QAeqZgDnSerrMdVVDJz9O7BOl
eQRv8Fhy3OArKx2L8zl8t1tY/GiCvjbQQoOG7sgqTGQBFZjA5ZqLPVO3tc316rH2
qsH6vInUJ0xUff9JHEvjx56UcmrFpNYiSBkt55tS/3xo8TN/gat0pX/ZuKggDhw+
kPtpBbeqfu4Cah12buU8aRa77qZfdBhQP+FcgqLFN8Edt8Poqs25T6PHqMHffPqO
kHddHBMm1zVptlVHwlu97nFdhX8UEexHmQX2EszBJf6GkNpppC1NCMbNEY+BOs+r
vDSBYz7oc200fbqmylBYg71N9e0fo/qBnxd1BKd7lxLgF326qA5DqylCFmggFyWg
gzDGq8UGkx9ZylfyBqiDq3fUom+k8dIXvvaeta+5cW2KxtEhSInTeH0l0wAyDBdj
hDz8obuffzkZ6zeS+b6MKc8XDUwCVdwCqHG6BTQMkxAyIfr2azVIyrpWd5kMwlik
hMeKu7t7W0Xnr6z7tQZW7E3zbouizugk//b1kM3ZEuG74OqxIdgq+VM3NWSGjiz+
Fvrb5R+K0gtZnume8d+t8b2SVcMH2eXWSk6V3DBHKXdq8BEV+E1FvrOqPt1i6LJI
ooSsI8XEZqTzrOwlP/2/n6JhjhoG5Sc46ON4Py0skGnnpECkr64=
=MmPd
-----END PGP SIGNATURE-----

3
poppler-25.08.0.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:425ed4d4515a093bdcdbbaac6876f20617451edc710df6a4fd6c45dd67eb418d
size 1975316

16
poppler-25.08.0.tar.xz.sig
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEyiYsbIPeTS+yijMqOmpNuDnqptcFAmiPlqMACgkQOmpNuDnq
pteR9xAAmaaN4eJjIh5lMZufOQGFTcyCd8261lpC7GS3zuKhUU5pJ4JgM9P11QDG
vbdP8CyQtwypx4gwTk8E9AYab2yaerOInJhOfxPqM6g62Ci8FbdZai2cS4FxbYiW
ZVi1aVOeXAuY0O3Ff5sXRD1pV8sNVINLXtuNVD0C6JVP5fdXKOAL2dX2CsCC5cjN
GtLhs9ibiX8zyPjTgOS7Hg//iGiXuUjY+IC/W6vnaU/97pf7qhDm7CstqAaUO447
0fJkMZSeVwdSUmcHpW4F5Om3PiAY+9DRs8SlonaMrdHruBV67f03xU2ZAnJQ4615
JpJG5iYADCNZ9QjQgtZZ2d5pkyHWfPyjjfjjFnRnfvGYWQJZsLV1bcXNo+NvjCAK
DTnyLPp15NKXighBXGKB5ffa4hPbhiC+WpQ++2k83bkELlIrFw61xib2L4CpNCl4
ZcJ0kNBmgKMmS4dIyu2FB5a2BJMGY8JUvdo834U167ne8ZrdlTFIXWsF/sScIVhs
3u7xuLuhpOEXIBApH7riicX87utjPNv56c9tEn2YqRf6VxgyYjX7Yn1rQSvN39sW
PdA1Wx6dkB9sXkoePniC6C6rEbrSen37TalWGR7MwGzrPxAx2VQGr7xrl7CiZ7zf
hDaNn7/NMiLOV/MfyJ1gppxXN5t9vbaPcrwPmfyUTaa+4HwBVs8=
=6g5w
-----END PGP SIGNATURE-----

104
poppler-CVE-2025-11896.patch Normal file
View File

@@ -0,0 +1,104 @@
From 998c6a79571af968ba90af57a0c5dcbb5a53763c Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Mon, 13 Oct 2025 15:13:14 +0200
Subject: [PATCH] Limit recursion in cmap parsing
fixes #1632
---
poppler/CMap.cc | 18 +++++++++++-------
poppler/CMap.h | 13 +++++++------
2 files changed, 18 insertions(+), 13 deletions(-)
Index: poppler-25.04.0/poppler/CMap.cc
===================================================================
--- poppler-25.04.0.orig/poppler/CMap.cc
+++ poppler-25.04.0/poppler/CMap.cc
@@ -66,7 +66,7 @@ static int getCharFromStream(void *data)
//------------------------------------------------------------------------
-std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Object *obj)
+std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion)
{
std::shared_ptr<CMap> cMap;
@@ -76,7 +76,7 @@ std::shared_ptr<CMap> CMap::parse(CMapCa
error(errSyntaxError, -1, "Unknown CMap '{0:t}' for character collection '{1:t}'", &cMapNameA, &collectionA);
}
} else if (obj->isStream()) {
- if (!(cMap = CMap::parse(nullptr, collectionA, obj->getStream()))) {
+ if (!(cMap = CMap::parse(nullptr, collectionA, obj->getStream(), recursion))) {
error(errSyntaxError, -1, "Invalid CMap in Type 0 font");
}
} else {
@@ -112,12 +112,16 @@ std::shared_ptr<CMap> CMap::parse(CMapCa
return cMap;
}
-std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Stream *str)
+std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Stream *str, const std::shared_ptr<RefRecursionChecker> &recursion)
{
auto cMap = std::shared_ptr<CMap>(new CMap(collectionA.copy(), nullptr));
- Object obj1 = str->getDict()->lookup("UseCMap");
+ Ref ref;
+ Object obj1 = str->getDict()->lookup("UseCMap", &ref);
+ if (!recursion->insert(ref)) {
+ return nullptr;
+ }
if (!obj1.isNull()) {
- cMap->useCMap(cache, &obj1);
+ cMap->useCMap(cache, &obj1, recursion);
}
if (str->reset()) {
@@ -233,9 +237,9 @@ void CMap::useCMap(CMapCache *cache, con
}
}
-void CMap::useCMap(CMapCache *cache, Object *obj)
+void CMap::useCMap(CMapCache *cache, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion)
{
- std::shared_ptr<CMap> subCMap = CMap::parse(cache, *collection, obj);
+ std::shared_ptr<CMap> subCMap = CMap::parse(cache, *collection, obj, recursion);
if (!subCMap) {
return;
}
Index: poppler-25.04.0/poppler/CMap.h
===================================================================
--- poppler-25.04.0.orig/poppler/CMap.h
+++ poppler-25.04.0/poppler/CMap.h
@@ -30,6 +30,7 @@
#include <atomic>
#include <memory>
+#include "Object.h"
#include "poppler-config.h"
#include "CharTypes.h"
@@ -46,7 +47,7 @@ class CMap
public:
// Parse a CMap from <obj>, which can be a name or a stream. Sets
// the initial reference count to 1. Returns NULL on failure.
- static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Object *obj);
+ static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion = std::make_shared<RefRecursionChecker>());
// Create the CMap specified by <collection> and <cMapName>. Sets
// the initial reference count to 1. Returns NULL on failure.
@@ -54,7 +55,7 @@ public:
// Parse a CMap from <str>. Sets the initial reference count to 1.
// Returns NULL on failure.
- static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Stream *str);
+ static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Stream *str, const std::shared_ptr<RefRecursionChecker> &recursion);
~CMap();
@@ -85,7 +86,7 @@ private:
CMap(std::unique_ptr<GooString> &&collectionA, std::unique_ptr<GooString> &&cMapNameA);
CMap(std::unique_ptr<GooString> &&collectionA, std::unique_ptr<GooString> &&cMapNameA, int wModeA);
void useCMap(CMapCache *cache, const char *useName);
- void useCMap(CMapCache *cache, Object *obj);
+ void useCMap(CMapCache *cache, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion);
void copyVector(CMapVectorEntry *dest, CMapVectorEntry *src);
void addCIDs(unsigned int start, unsigned int end, unsigned int nBytes, CID firstCID);
void freeCMapVector(CMapVectorEntry *vec);

31
poppler-CVE-2025-50420.patch Normal file
View File

@@ -0,0 +1,31 @@
From 08d7894e4dd0e313c179e30f06ad8f546619b1b3 Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Tue, 29 Jul 2025 14:14:00 +0200
Subject: [PATCH] Fix crash in pdfseparate
Don't continue recursing in PDFDoc::mark* if things looks a bit weirder
than expected
---
poppler/PDFDoc.cc | 9 +++++++++
1 file changed, 9 insertions(+)
Index: poppler-25.04.0/poppler/PDFDoc.cc
===================================================================
--- poppler-25.04.0.orig/poppler/PDFDoc.cc
+++ poppler-25.04.0/poppler/PDFDoc.cc
@@ -1857,6 +1857,15 @@ bool PDFDoc::markAnnotations(Object *ann
if (obj1.isDict()) {
Dict *dict = obj1.getDict();
Object type = dict->lookup("Type");
+ if (type.isNull()) {
+ Object subType = dict->lookup("SubType");
+ // Type is optional, subtype is required
+ // If neither of them exists, something is probably
+ // weird here, so let us just skip this entry
+ if (subType.isNull()) {
+ continue;
+ }
+ }
if (type.isName() && strcmp(type.getName(), "Annot") == 0) {
const Object &obj2 = dict->lookupNF("P");
if (obj2.isRef()) {

24
poppler-CVE-2025-52885.patch Normal file
View File

@@ -0,0 +1,24 @@
From 4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 3 Sep 2025 14:36:54 +0100
Subject: [PATCH] Check for duplicate entries
---
poppler/StructTreeRoot.cc | 4 ++++
1 file changed, 4 insertions(+)
Index: poppler-25.04.0/poppler/StructTreeRoot.cc
===================================================================
--- poppler-25.04.0.orig/poppler/StructTreeRoot.cc
+++ poppler-25.04.0/poppler/StructTreeRoot.cc
@@ -137,6 +137,10 @@ void StructTreeRoot::parseNumberTreeNode
}
int keyVal = key.getInt();
std::vector<Parent> &vec = parentTree[keyVal];
+ if (!vec.empty()) {
+ error(errSyntaxError, -1, "Nums item at position {0:d} is a duplicate entry for key {1:d}", i, keyVal);
+ continue;
+ }
Object valueArray = nums.arrayGet(i + 1);
if (valueArray.isArray()) {

52
poppler-CVE-2025-52886.patch Normal file
View File

@@ -0,0 +1,52 @@
From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Tue, 3 Jun 2025 00:35:19 +0200
Subject: [PATCH] Limit ammount of annots per document/page
---
poppler/Annot.cc | 4 ++++
poppler/Page.cc | 16 ++++++++++++++++
2 files changed, 20 insertions(+)
Index: poppler-25.04.0/poppler/Annot.cc
===================================================================
--- poppler-25.04.0.orig/poppler/Annot.cc
+++ poppler-25.04.0/poppler/Annot.cc
@@ -1674,6 +1674,10 @@ void Annot::removeReferencedObjects()
void Annot::incRefCnt()
{
+ if (refCnt > 100000) {
+ error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
+ return;
+ }
refCnt++;
}
Index: poppler-25.04.0/poppler/Page.cc
===================================================================
--- poppler-25.04.0.orig/poppler/Page.cc
+++ poppler-25.04.0/poppler/Page.cc
@@ -297,6 +297,22 @@ Page::Page(PDFDoc *docA, int numA, Objec
goto err2;
}
+ if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
+ goto err2;
+ }
+ if (annotsObj.isRef()) {
+ auto resolvedObj = getAnnotsObject();
+ if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
+ goto err2;
+ }
+ if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
+ goto err2;
+ }
+ }
+
// contents
contents = pageObj.dictLookupNF("Contents").copy();
if (!(contents.isRef() || contents.isArray() || contents.isNull())) {

70
poppler.changes
View File

@@ -1,64 +1,34 @@
-------------------------------------------------------------------
Tue Aug 5 09:57:10 UTC 2025 - pgajdos@suse.com
Mon Dec 8 13:25:40 UTC 2025 - Petr Gajdos <pgajdos@suse.com>
- version update to 25.08.0
+ core:
* FormWidgetSignature::signDocumentWithAppearance: add imagePath parameter
* Fix parsing Distinguished Names that end with a hex string
* Fix crashes in malformed documents
+ glib:
* Add poppler_page_render_transparent_selection()
* Add missing since to the documentation
- fixes CVE-2025-50420 [bsc#1247590]
- security update
- added patches
CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap
* poppler-CVE-2025-11896.patch
-------------------------------------------------------------------
Fri Jul 25 12:06:57 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
Tue Oct 14 09:48:10 UTC 2025 - pgajdos@suse.com
- Do not build the qt5 flavor in SLE16.
- security update
- added patches
CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized
* poppler-CVE-2025-52885.patch
-------------------------------------------------------------------
Thu Jul 10 09:06:55 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
Tue Aug 5 11:53:27 UTC 2025 - pgajdos@suse.com
- Update to version 25.07.0:
+ core:
- Changed rendering of malformed documents to mimic what Adobe
Reader does
- Improvemenst in signature validation in the NSS backend
- Add more detailed output when signing fails
- Internal code improvements
- Fix crashes in malformed documents
+ utils: pdfsig: command line option for allowing PGP signatures
in GnuPG backend
- Bump sover following upstream changes.
- security update
- added patches
CVE-2025-50420 [bsc#1247590], An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).
+ poppler-CVE-2025-50420.patch
-------------------------------------------------------------------
Thu Jul 3 08:46:24 UTC 2025 - pgajdos@suse.com
Fri Jul 4 14:09:05 UTC 2025 - pgajdos@suse.com
- version update to 25.06.0 [bsc#1245625] (CVE-2025-52886)
Release 25.06.0:
core:
* Fix writing dates back to file
* Internal code improvements
* Fix crashes in malformed documents
glib:
* Add the ink annotation type
* Add missing autopointers definitions
utils:
* pdfsig: Add assert-signer feature
* pdfsig: Return error code on error
Release 25.05.0:
core:
* Fix re-fetching after xref reconstruction. Issue #1584
* Fix compilation with ENABLE_ZLIB_UNCOMPRESS=ON
* Various annotation improvements. Issues #642, #1558, #1055
* CairoFontEngine: invalidate broken embedded fonts. Issue #1453
* Splash: Performance improvements
* Internal code improvements
glib:
* Small signature improvements
- modified patches
% reduce-boost-required-version.patch (refreshed)
% reduce-libtiff-required-version.patch (refreshed)
- security update
- added patches
CVE-2025-52886 [bsc#1245625], use of 32-bit `std::atomic_int` for reference counting can lead to an integer overflow and trigger a use-after-free
+ poppler-CVE-2025-52886.patch
-------------------------------------------------------------------
Mon Apr 7 10:46:03 UTC 2025 - pgajdos@suse.com

18
poppler.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package poppler
#
# Copyright (c) 2025 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
%endif
# Actual version of poppler-data:
%define poppler_data_version 0.4.11
%define poppler_sover 152
%define poppler_sover 148
%define poppler_cpp_sover 2
%define poppler_glib_sover 8
%define poppler_qt5_sover 1
@@ -32,7 +32,7 @@
%define poppler_api 0.18
%define poppler_apipkg 0_18
Name: poppler%{?psuffix}
Version: 25.08.0
Version: 25.04.0
Release: 0
Summary: PDF Rendering Library
License: GPL-2.0-only OR GPL-3.0-only
@@ -44,6 +44,14 @@ Source90: poppler.keyring
Source99: baselibs.conf
Patch0: reduce-boost-required-version.patch
Patch1: reduce-libtiff-required-version.patch
# CVE-2025-52886 [bsc#1245625], use of 32-bit `std::atomic_int` for reference counting can lead to an integer overflow and trigger a use-after-free
Patch2: poppler-CVE-2025-52886.patch
# CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized
Patch3: poppler-CVE-2025-50420.patch
# CVE-2025-50420 [bsc#1247590], An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).
Patch4: poppler-CVE-2025-52885.patch
# CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap
Patch5: poppler-CVE-2025-11896.patch
BuildRequires: cmake >= 3.10
BuildRequires: gtk-doc
@@ -85,10 +93,6 @@ BuildRequires: extra-cmake-modules
%if "%{flavor}" == "qt6" && (0%{?suse_version} <= 1500 && 0%{?sle_version} <= 150300)
ExclusiveArch: do_not_build
%endif
# Don't build poppler-qt5 on SLE16
%if "%{flavor}" == "qt5" && (0%{suse_version} == 1600 && ! 0%{?is_opensuse})
ExclusiveArch: do_not_build
%endif
%if "%{flavor}" == "qt5"
BuildRequires: pkgconfig(Qt5Core) >= 5.9
BuildRequires: pkgconfig(Qt5Gui)

8
reduce-boost-required-version.patch
View File

@@ -1,8 +1,8 @@
Index: poppler-25.06.0/CMakeLists.txt
Index: poppler-24.12.0/CMakeLists.txt
===================================================================
--- poppler-25.06.0.orig/CMakeLists.txt
+++ poppler-25.06.0/CMakeLists.txt
@@ -232,7 +232,7 @@ add_definitions(-DQT_NO_KEYWORDS)
--- poppler-24.12.0.orig/CMakeLists.txt
+++ poppler-24.12.0/CMakeLists.txt
@@ -227,7 +227,7 @@ find_soft_mandatory_package(ENABLE_QT6 Q
# Check for Cairo rendering backend
macro_optional_find_package(Cairo ${CAIRO_VERSION})

8
reduce-libtiff-required-version.patch
View File

@@ -1,8 +1,8 @@
Index: poppler-25.06.0/CMakeLists.txt
Index: poppler-24.12.0/CMakeLists.txt
===================================================================
--- poppler-25.06.0.orig/CMakeLists.txt
+++ poppler-25.06.0/CMakeLists.txt
@@ -169,7 +169,7 @@ endmacro()
--- poppler-24.12.0.orig/CMakeLists.txt
+++ poppler-24.12.0/CMakeLists.txt
@@ -168,7 +168,7 @@ endmacro()
find_soft_mandatory_package(ENABLE_NSS3 NSS3 3.68)
find_soft_mandatory_package(ENABLE_GPGME Gpgmepp 1.19)