Hi Simon, I'm impressed about your speed and diligence in treating bugreports, kudos and you have my full repsect :)
On Sat, Aug 09, 2025 at 01:02:18PM +0100, Simon McVittie wrote: > Control: tags -1 + moreinfo > > On Sat, 09 Aug 2025 at 11:47:40 +0200, Salvatore Bonaccorso wrote: > > CVE-2025-50422[0]: > > | An issue was discovered in freedesktop poppler v25.04.0. The heap > > | memory containing PDF stream objects is not cleared upon program > > | exit, allowing attackers to obtain sensitive PDF content via a > > | memory dump. > > This seems like a bad description of the problem. The reporter seems to have > originally claimed that the existence of possibly-sensitive data in a core > dump is a security vulnerability, which ... no. Core dumps contain whatever > was in RAM, that's just how they work, and if that's considered to be a > security vulnerability in a particular scenario then that scenario should > disable core dumps. I do agree, the bugreport just contains fetching the (current) MITRE CVE description to include it in the bugreport. > > It seems like the better description might be something like: a crafted > input file fed to poppler's pdftoppm can cause an assertion failure, leading > to denial of service (?) and possibly a worse impact (?). Ok. FWIW, I asked mitre that they can re-evaluate the CVE entry and maybe associate it rather with cairo, as the merge request is targeted there. > The original reporter claims on their Github page [1] that "The vendor > (freedesktop, maintainer of Poppler) has acknowledged the issue and fixed > the bug. The fix has been committed in their official repository." but I see > no evidence of that, only two unreviewed and unmerged merge-requests in one > of poppler's dependencies [3] [4]. > > I think we should be cautious about applying unreviewed changes for unclear > reasons. If someone (perhaps the CNA that created this CVE ID) has a better > description of what security problem is being addressed, then they should > publish it. Fully agreed. The Debian bugreport is not meant to expedit fixes applying in Debian but rather have a mapping in bugreports downstream to upstream so we can follow their status. I fully support *not* to apply any fixes before they are clearly vetted/acked and ideally merged upstream. > I also can't help noticing that > https://www.cve.org/CVERecord?id=CVE-2025-50422 links to "freedesktop.com" > and "poppler.com" neither of which appears to be freedesktop.org or poppler, > which seems like it indicates a lack of research and critical thinking. Yes that's very odd. Regards, Salvatore
