Your message dated Fri, 18 Apr 2025 22:35:17 +0000
with message-id <e1u5uin-007ivf...@fasolo.debian.org>
and subject line Bug#1103545: fixed in poppler 25.03.0-4
has caused the Debian Bug report #1103545,
regarding poppler: CVE-2025-43903
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103545: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103545
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: poppler
Version: 25.03.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 22.12.0-2
Hi,
The following vulnerability was published for poppler.
CVE-2025-43903[0]:
| NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify
| the adbe.pkcs7.sha1 signatures on documents, resulting in potential
| signature forgeries.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-43903
https://www.cve.org/CVERecord?id=CVE-2025-43903
[1]
https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 25.03.0-4
Done: Jeremy Bícha <jbi...@ubuntu.com>
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <jbi...@ubuntu.com> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 18 Apr 2025 18:16:32 -0400
Source: poppler
Built-For-Profiles: noudeb
Architecture: source
Version: 25.03.0-4
Distribution: unstable
Urgency: high
Maintainer: Debian freedesktop.org maintainers
<pkg-freedesktop-maintain...@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbi...@ubuntu.com>
Closes: 1103545
Changes:
poppler (25.03.0-4) unstable; urgency=high
.
* Team upload
* SECURITY UPDATE: Properly verify abde.pkcs7.sha1 signatures
- Cherry-pick upstream fix for the
NSSSignatureVerification::validateSignature function
in NSSCryptoSignBackend.cc
- CVE-2025-43903 (Closes: #1103545)
Checksums-Sha1:
0924ee7042db3886c9619362b5cf78612aa4808e 3934 poppler_25.03.0-4.dsc
7d40fe16b1e4f9dbc18a70f1d6fb60eddbadd3a4 41296 poppler_25.03.0-4.debian.tar.xz
46e2c0e8cc9526e734725897274db75bbe07e51a 16732
poppler_25.03.0-4_source.buildinfo
Checksums-Sha256:
98b448d09827c4a1ddddd479d75e98b6e421841f811ea8b2a85fd4102cb890a7 3934
poppler_25.03.0-4.dsc
8ce6c78f873b0d0b01579d78d50e2c84610cc0199da5543b1656906a28597f8b 41296
poppler_25.03.0-4.debian.tar.xz
90d6c1234bb0415e1573875bfc6c732825d2d3db3c6a35eaaf990de42de2680e 16732
poppler_25.03.0-4_source.buildinfo
Files:
b91ad1b17fd4b662d31403b07c09cdbf 3934 devel optional poppler_25.03.0-4.dsc
eb18ea5cbffdf98c063aac22af536e39 41296 devel optional
poppler_25.03.0-4.debian.tar.xz
7c0835d7e9b22e9a752286a3b5633953 16732 devel optional
poppler_25.03.0-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmgCz3oACgkQ5mx3Wuv+
bH0o8Q//R08kRWmv/ZWWV6LwYZ+kmLP5fR3bZsebe+Ovd0Jb8wVCTNQhRUoVqwii
dR8HfsocvE1a15UC3qLvgDTxnkDWd0774cYGzwjvw3ypp7Dy/2Jg+hktqZPSDYQG
j1U6kXkS1l8twpCCbghkiky6wWBPZREmhejmBFBnar9ZIyU3trp32wkIKfbH19Nz
DFYYQmIenh1CmbViCRobcZ235pwa9KwzoV4m89ydM5aJFeLZV7oASGse6YVfgGmE
9O06SofxGEkpOJ61Fj8lgZY3tUcTVk7Z6iehhWEQefVvKxA2fVXZl2HOTiISrXlB
jG8etlFPJ/uP1Y8QJLRUeyLzGLzakdCRxQ0blNoUKOd8Yc2bqRnlfypJfqycpO74
Lbiay/flD/GVQ/1Q8FDmiQiWpY32s+I/ilgkx0Ui3HpN9y12BaYvxZX5/UjCaK11
Kej+WZ5d1o8Fa34tWid2YNKzOQekCarRzfuxtsbP9a+WHEoVZeYxjWVKgDv+y63H
t3xPS4RAnA1JkVWt4gz4epbwZkXqMVwILupJHdX1RIkjKvqrhN1lCewrA6+hFntr
nwx86+K0CZj/eZEC7tUjCYutoZkPkifmeu08LCL8jM4AorM5/SsuY8kHO97J6ldt
wY0wsvo2uG9XwXEd16OrFriRcGsv7d24ae0jXH+zpreu6aVrUf8=
=J5ae
-----END PGP SIGNATURE-----
pgpgiEnWt7CRE.pgp
Description: PGP signature
--- End Message ---
