Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian freedesktop.org maintainers
<pkg-freedesktop-maintain...@lists.alioth.debian.org>
* CVE-2023-34872: OutlineItem::open crash on malformed files
* CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
* CVE-2025-32364: Floating point exception in PSStack::roll
* CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
diffstat for poppler-22.12.0 poppler-22.12.0
changelog | 10 +
patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch | 41
+++++
patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch | 73
++++++++++
patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch | 25 +++
patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch | 37
+++++
patches/series | 4
6 files changed, 190 insertions(+)
diff -Nru poppler-22.12.0/debian/changelog poppler-22.12.0/debian/changelog
--- poppler-22.12.0/debian/changelog 2023-01-10 23:36:05.000000000 +0200
+++ poppler-22.12.0/debian/changelog 2025-04-12 21:26:36.000000000 +0300
@@ -1,3 +1,13 @@
+poppler (22.12.0-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-34872: OutlineItem::open crash on malformed files
+ * CVE-2024-56378: Out-of-bounds read in JBIG2Bitmap::combine
+ * CVE-2025-32364: Floating point exception in PSStack::roll
+ * CVE-2025-32365: Out-of-bounds read in JBIG2:Bitmap::combine
+
+ -- Adrian Bunk <b...@debian.org> Sat, 12 Apr 2025 21:26:36 +0300
+
poppler (22.12.0-2) unstable; urgency=medium
* Team upload
diff -Nru
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
---
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
1970-01-01 02:00:00.000000000 +0200
+++
poppler-22.12.0/debian/patches/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
2025-04-12 21:24:57.000000000 +0300
@@ -0,0 +1,41 @@
+From db4e10de064c6b8bddbcbcb042116c6d70ed1e35 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Wed, 17 May 2023 22:42:05 +0200
+Subject: OutlineItem::open: Fix crash on malformed files
+
+Fixes #1399
+---
+ poppler/Outline.cc | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/Outline.cc b/poppler/Outline.cc
+index cbb6cb49..4c68be99 100644
+--- a/poppler/Outline.cc
++++ b/poppler/Outline.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Marco Pesenti Gritti <m...@redhat.com>
+-// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid <aa...@kde.org>
++// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid <aa...@kde.org>
+ // Copyright (C) 2009 Nick Jones <nick.jo...@network-box.com>
+ // Copyright (C) 2016 Jason Crain <ja...@aquaticape.us>
+ // Copyright (C) 2017 Adrian Johnson <ajohn...@redneon.com>
+@@ -483,8 +483,12 @@ void OutlineItem::open()
+ {
+ if (!kids) {
+ Object itemDict = xref->fetch(ref);
+- const Object &firstRef = itemDict.dictLookupNF("First");
+- kids = readItemList(this, &firstRef, xref, doc);
++ if (itemDict.isDict()) {
++ const Object &firstRef = itemDict.dictLookupNF("First");
++ kids = readItemList(this, &firstRef, xref, doc);
++ } else {
++ kids = new std::vector<OutlineItem *>();
++ }
+ }
+ }
+
+--
+2.30.2
+
diff -Nru
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
---
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
1970-01-01 02:00:00.000000000 +0200
+++
poppler-22.12.0/debian/patches/0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
2025-04-12 21:24:57.000000000 +0300
@@ -0,0 +1,73 @@
+From 70ceae2d090bbc9935d938e9e1475bcd57781f5e Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Tue, 17 Dec 2024 18:59:01 +0100
+Subject: JBIG2Bitmap::combine: Fix crash on malformed files
+
+Fixes #1553
+---
+ poppler/JBIG2Stream.cc | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 77ffeb28..bdc51d0d 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -765,7 +765,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
+
+ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int
combOp)
+ {
+- int x0, x1, y0, y1, xx, yy;
++ int x0, x1, y0, y1, xx, yy, yyy;
+ unsigned char *srcPtr, *destPtr;
+ unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+ bool oneByte;
+@@ -812,14 +812,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x,
int y, unsigned int combOp
+ oneByte = x0 == ((x1 - 1) & ~7);
+
+ for (yy = y0; yy < y1; ++yy) {
+- if (unlikely((y + yy >= h) || (y + yy < 0))) {
++ if (unlikely(checkedAdd(y, yy, &yyy))) {
++ continue;
++ }
++ if (unlikely((yyy >= h) || (yyy < 0))) {
+ continue;
+ }
+
+ // one byte per line -- need to mask both left and right side
+ if (oneByte) {
+ if (x >= 0) {
+- destPtr = data + (y + yy) * line + (x >> 3);
++ destPtr = data + yyy * line + (x >> 3);
+ srcPtr = bitmap->data + yy * bitmap->line;
+ dest = *destPtr;
+ src1 = *srcPtr;
+@@ -842,7 +845,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int
y, unsigned int combOp
+ }
+ *destPtr = dest;
+ } else {
+- destPtr = data + (y + yy) * line;
++ destPtr = data + yyy * line;
+ srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
+ dest = *destPtr;
+ src1 = *srcPtr;
+@@ -872,7 +875,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int
y, unsigned int combOp
+
+ // left-most byte
+ if (x >= 0) {
+- destPtr = data + (y + yy) * line + (x >> 3);
++ destPtr = data + yyy * line + (x >> 3);
+ srcPtr = bitmap->data + yy * bitmap->line;
+ src1 = *srcPtr++;
+ dest = *destPtr;
+@@ -896,7 +899,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int
y, unsigned int combOp
+ *destPtr++ = dest;
+ xx = x0 + 8;
+ } else {
+- destPtr = data + (y + yy) * line;
++ destPtr = data + yyy * line;
+ srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
+ src1 = *srcPtr++;
+ xx = x0;
+--
+2.30.2
+
diff -Nru
poppler-22.12.0/debian/patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch
poppler-22.12.0/debian/patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch
---
poppler-22.12.0/debian/patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch
1970-01-01 02:00:00.000000000 +0200
+++
poppler-22.12.0/debian/patches/0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch
2025-04-12 21:24:57.000000000 +0300
@@ -0,0 +1,25 @@
+From a165d7c184a75c8511354c8972aa8176928e239b Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Mon, 24 Mar 2025 00:44:54 +0100
+Subject: PSStack::roll: Protect against doing int = -INT_MIN
+
+---
+ poppler/Function.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/poppler/Function.cc b/poppler/Function.cc
+index 043ae8e9..65888a03 100644
+--- a/poppler/Function.cc
++++ b/poppler/Function.cc
+@@ -1066,7 +1066,7 @@ void PSStack::roll(int n, int j)
+ PSObject obj;
+ int i, k;
+
+- if (unlikely(n == 0)) {
++ if (unlikely(n == 0 || j == INT_MIN)) {
+ return;
+ }
+ if (j >= 0) {
+--
+2.30.2
+
diff -Nru
poppler-22.12.0/debian/patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch
poppler-22.12.0/debian/patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch
---
poppler-22.12.0/debian/patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch
1970-01-01 02:00:00.000000000 +0200
+++
poppler-22.12.0/debian/patches/0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch
2025-04-12 21:24:57.000000000 +0300
@@ -0,0 +1,37 @@
+From d8aa58a1c931738bdba4ffaae1a80a4ecfbb36bf Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Mon, 31 Mar 2025 14:35:49 +0200
+Subject: Move isOk check to inside JBIG2Bitmap::combine
+
+---
+ poppler/JBIG2Stream.cc | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index bdc51d0d..3c92e707 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -770,6 +770,9 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int
y, unsigned int combOp
+ unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+ bool oneByte;
+
++ if (unlikely(!isOk())) {
++ return;
++ }
+ // check for the pathological case where y = -2^31
+ if (y < -0x7fffffff) {
+ return;
+@@ -2200,9 +2203,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum,
bool imm, bool lossless
+ if (pageH == 0xffffffff && y + h > curPageH) {
+ pageBitmap->expand(y + h, pageDefPixel);
+ }
+- if (pageBitmap->isOk()) {
+- pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+- }
++ pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+
+ // store the region bitmap
+ } else {
+--
+2.30.2
+
diff -Nru poppler-22.12.0/debian/patches/series
poppler-22.12.0/debian/patches/series
--- poppler-22.12.0/debian/patches/series 2023-01-10 23:36:05.000000000
+0200
+++ poppler-22.12.0/debian/patches/series 2025-04-12 21:26:13.000000000
+0300
@@ -0,0 +1,4 @@
+0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
+0002-JBIG2Bitmap-combine-Fix-crash-on-malformed-files.patch
+0003-PSStack-roll-Protect-against-doing-int-INT_MIN.patch
+0004-Move-isOk-check-to-inside-JBIG2Bitmap-combine.patch
