Compare commits
2 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
|
141f1b63c6 | ||
|
|
63f0774fd1 |
104
poppler-CVE-2025-11896.patch
Normal file
104
poppler-CVE-2025-11896.patch
Normal file
@@ -0,0 +1,104 @@
|
||||
From 998c6a79571af968ba90af57a0c5dcbb5a53763c Mon Sep 17 00:00:00 2001
|
||||
From: Sune Vuorela <sune@vuorela.dk>
|
||||
Date: Mon, 13 Oct 2025 15:13:14 +0200
|
||||
Subject: [PATCH] Limit recursion in cmap parsing
|
||||
|
||||
fixes #1632
|
||||
---
|
||||
poppler/CMap.cc | 18 +++++++++++-------
|
||||
poppler/CMap.h | 13 +++++++------
|
||||
2 files changed, 18 insertions(+), 13 deletions(-)
|
||||
|
||||
Index: poppler-25.04.0/poppler/CMap.cc
|
||||
===================================================================
|
||||
--- poppler-25.04.0.orig/poppler/CMap.cc
|
||||
+++ poppler-25.04.0/poppler/CMap.cc
|
||||
@@ -66,7 +66,7 @@ static int getCharFromStream(void *data)
|
||||
|
||||
//------------------------------------------------------------------------
|
||||
|
||||
-std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Object *obj)
|
||||
+std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion)
|
||||
{
|
||||
std::shared_ptr<CMap> cMap;
|
||||
|
||||
@@ -76,7 +76,7 @@ std::shared_ptr<CMap> CMap::parse(CMapCa
|
||||
error(errSyntaxError, -1, "Unknown CMap '{0:t}' for character collection '{1:t}'", &cMapNameA, &collectionA);
|
||||
}
|
||||
} else if (obj->isStream()) {
|
||||
- if (!(cMap = CMap::parse(nullptr, collectionA, obj->getStream()))) {
|
||||
+ if (!(cMap = CMap::parse(nullptr, collectionA, obj->getStream(), recursion))) {
|
||||
error(errSyntaxError, -1, "Invalid CMap in Type 0 font");
|
||||
}
|
||||
} else {
|
||||
@@ -112,12 +112,16 @@ std::shared_ptr<CMap> CMap::parse(CMapCa
|
||||
return cMap;
|
||||
}
|
||||
|
||||
-std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Stream *str)
|
||||
+std::shared_ptr<CMap> CMap::parse(CMapCache *cache, const GooString &collectionA, Stream *str, const std::shared_ptr<RefRecursionChecker> &recursion)
|
||||
{
|
||||
auto cMap = std::shared_ptr<CMap>(new CMap(collectionA.copy(), nullptr));
|
||||
- Object obj1 = str->getDict()->lookup("UseCMap");
|
||||
+ Ref ref;
|
||||
+ Object obj1 = str->getDict()->lookup("UseCMap", &ref);
|
||||
+ if (!recursion->insert(ref)) {
|
||||
+ return nullptr;
|
||||
+ }
|
||||
if (!obj1.isNull()) {
|
||||
- cMap->useCMap(cache, &obj1);
|
||||
+ cMap->useCMap(cache, &obj1, recursion);
|
||||
}
|
||||
|
||||
if (str->reset()) {
|
||||
@@ -233,9 +237,9 @@ void CMap::useCMap(CMapCache *cache, con
|
||||
}
|
||||
}
|
||||
|
||||
-void CMap::useCMap(CMapCache *cache, Object *obj)
|
||||
+void CMap::useCMap(CMapCache *cache, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion)
|
||||
{
|
||||
- std::shared_ptr<CMap> subCMap = CMap::parse(cache, *collection, obj);
|
||||
+ std::shared_ptr<CMap> subCMap = CMap::parse(cache, *collection, obj, recursion);
|
||||
if (!subCMap) {
|
||||
return;
|
||||
}
|
||||
Index: poppler-25.04.0/poppler/CMap.h
|
||||
===================================================================
|
||||
--- poppler-25.04.0.orig/poppler/CMap.h
|
||||
+++ poppler-25.04.0/poppler/CMap.h
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <atomic>
|
||||
#include <memory>
|
||||
|
||||
+#include "Object.h"
|
||||
#include "poppler-config.h"
|
||||
#include "CharTypes.h"
|
||||
|
||||
@@ -46,7 +47,7 @@ class CMap
|
||||
public:
|
||||
// Parse a CMap from <obj>, which can be a name or a stream. Sets
|
||||
// the initial reference count to 1. Returns NULL on failure.
|
||||
- static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Object *obj);
|
||||
+ static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion = std::make_shared<RefRecursionChecker>());
|
||||
|
||||
// Create the CMap specified by <collection> and <cMapName>. Sets
|
||||
// the initial reference count to 1. Returns NULL on failure.
|
||||
@@ -54,7 +55,7 @@ public:
|
||||
|
||||
// Parse a CMap from <str>. Sets the initial reference count to 1.
|
||||
// Returns NULL on failure.
|
||||
- static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Stream *str);
|
||||
+ static std::shared_ptr<CMap> parse(CMapCache *cache, const GooString &collectionA, Stream *str, const std::shared_ptr<RefRecursionChecker> &recursion);
|
||||
|
||||
~CMap();
|
||||
|
||||
@@ -85,7 +86,7 @@ private:
|
||||
CMap(std::unique_ptr<GooString> &&collectionA, std::unique_ptr<GooString> &&cMapNameA);
|
||||
CMap(std::unique_ptr<GooString> &&collectionA, std::unique_ptr<GooString> &&cMapNameA, int wModeA);
|
||||
void useCMap(CMapCache *cache, const char *useName);
|
||||
- void useCMap(CMapCache *cache, Object *obj);
|
||||
+ void useCMap(CMapCache *cache, Object *obj, const std::shared_ptr<RefRecursionChecker> &recursion);
|
||||
void copyVector(CMapVectorEntry *dest, CMapVectorEntry *src);
|
||||
void addCIDs(unsigned int start, unsigned int end, unsigned int nBytes, CID firstCID);
|
||||
void freeCMapVector(CMapVectorEntry *vec);
|
||||
31
poppler-CVE-2025-50420.patch
Normal file
31
poppler-CVE-2025-50420.patch
Normal file
@@ -0,0 +1,31 @@
|
||||
From 08d7894e4dd0e313c179e30f06ad8f546619b1b3 Mon Sep 17 00:00:00 2001
|
||||
From: Sune Vuorela <sune@vuorela.dk>
|
||||
Date: Tue, 29 Jul 2025 14:14:00 +0200
|
||||
Subject: [PATCH] Fix crash in pdfseparate
|
||||
|
||||
Don't continue recursing in PDFDoc::mark* if things looks a bit weirder
|
||||
than expected
|
||||
---
|
||||
poppler/PDFDoc.cc | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
Index: poppler-25.04.0/poppler/PDFDoc.cc
|
||||
===================================================================
|
||||
--- poppler-25.04.0.orig/poppler/PDFDoc.cc
|
||||
+++ poppler-25.04.0/poppler/PDFDoc.cc
|
||||
@@ -1857,6 +1857,15 @@ bool PDFDoc::markAnnotations(Object *ann
|
||||
if (obj1.isDict()) {
|
||||
Dict *dict = obj1.getDict();
|
||||
Object type = dict->lookup("Type");
|
||||
+ if (type.isNull()) {
|
||||
+ Object subType = dict->lookup("SubType");
|
||||
+ // Type is optional, subtype is required
|
||||
+ // If neither of them exists, something is probably
|
||||
+ // weird here, so let us just skip this entry
|
||||
+ if (subType.isNull()) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
if (type.isName() && strcmp(type.getName(), "Annot") == 0) {
|
||||
const Object &obj2 = dict->lookupNF("P");
|
||||
if (obj2.isRef()) {
|
||||
@@ -7,11 +7,11 @@ Subject: [PATCH] Check for duplicate entries
|
||||
poppler/StructTreeRoot.cc | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/poppler/StructTreeRoot.cc b/poppler/StructTreeRoot.cc
|
||||
index eb46147bd1..fc7bf4ceb0 100644
|
||||
--- a/poppler/StructTreeRoot.cc
|
||||
+++ b/poppler/StructTreeRoot.cc
|
||||
@@ -136,6 +136,10 @@ void StructTreeRoot::parseNumberTreeNode(const Dict &node)
|
||||
Index: poppler-25.04.0/poppler/StructTreeRoot.cc
|
||||
===================================================================
|
||||
--- poppler-25.04.0.orig/poppler/StructTreeRoot.cc
|
||||
+++ poppler-25.04.0/poppler/StructTreeRoot.cc
|
||||
@@ -137,6 +137,10 @@ void StructTreeRoot::parseNumberTreeNode
|
||||
}
|
||||
int keyVal = key.getInt();
|
||||
std::vector<Parent> &vec = parentTree[keyVal];
|
||||
@@ -22,6 +22,3 @@ index eb46147bd1..fc7bf4ceb0 100644
|
||||
|
||||
Object valueArray = nums.arrayGet(i + 1);
|
||||
if (valueArray.isArray()) {
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
||||
@@ -1,11 +1,27 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 14 09:33:22 UTC 2025 - pgajdos@suse.com
|
||||
Mon Dec 8 13:25:40 UTC 2025 - Petr Gajdos <pgajdos@suse.com>
|
||||
|
||||
- security update
|
||||
- added patches
|
||||
CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap
|
||||
* poppler-CVE-2025-11896.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 14 09:48:10 UTC 2025 - pgajdos@suse.com
|
||||
|
||||
- security update
|
||||
- added patches
|
||||
CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized
|
||||
* poppler-CVE-2025-52885.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 5 11:53:27 UTC 2025 - pgajdos@suse.com
|
||||
|
||||
- security update
|
||||
- added patches
|
||||
CVE-2025-50420 [bsc#1247590], An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).
|
||||
+ poppler-CVE-2025-50420.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 4 14:09:05 UTC 2025 - pgajdos@suse.com
|
||||
|
||||
|
||||
@@ -47,7 +47,11 @@ Patch1: reduce-libtiff-required-version.patch
|
||||
# CVE-2025-52886 [bsc#1245625], use of 32-bit `std::atomic_int` for reference counting can lead to an integer overflow and trigger a use-after-free
|
||||
Patch2: poppler-CVE-2025-52886.patch
|
||||
# CVE-2025-52885 [bsc#1251940], raw pointers can lead to dangling pointers when the vector is resized
|
||||
Patch3: poppler-CVE-2025-52885.patch
|
||||
Patch3: poppler-CVE-2025-50420.patch
|
||||
# CVE-2025-50420 [bsc#1247590], An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).
|
||||
Patch4: poppler-CVE-2025-52885.patch
|
||||
# CVE-2025-11896 [bsc#1252337], infinite recursion leading to stack overflow due to object loop in PDF CMap
|
||||
Patch5: poppler-CVE-2025-11896.patch
|
||||
|
||||
BuildRequires: cmake >= 3.10
|
||||
BuildRequires: gtk-doc
|
||||
|
||||
Reference in New Issue
Block a user