Control: tags 1138708 + patch Control: tags 1138708 + pending
Dear maintainer, I've prepared an NMU for poppler (versioned as 26.01.0-4.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Uploading only with delay 2 days is bit borderline I believe, so I'm really ok with you saying me to cancel or delaying it further. We have put poppler into DSA "needed" list for the security team, but before having fixes going out to stable it seems wise to make sure the fix is exposed in unstable first. Regards, Salvatore
diffstat for poppler-26.01.0 poppler-26.01.0 changelog | 8 + patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch | 41 ++++++++++ patches/series | 1 3 files changed, 50 insertions(+) diff -Nru poppler-26.01.0/debian/changelog poppler-26.01.0/debian/changelog --- poppler-26.01.0/debian/changelog 2026-05-31 23:12:29.000000000 +0200 +++ poppler-26.01.0/debian/changelog 2026-06-02 19:08:52.000000000 +0200 @@ -1,3 +1,11 @@ +poppler (26.01.0-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * SplashOutputDev: Fix integer overflow in tilingPatternFill (CVE-2026-10118) + (Closes: #1138708) + + -- Salvatore Bonaccorso <[email protected]> Tue, 02 Jun 2026 19:08:52 +0200 + poppler (26.01.0-4) unstable; urgency=medium * Team upload diff -Nru poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch --- poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch 1970-01-01 01:00:00.000000000 +0100 +++ poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch 2026-06-02 19:08:27.000000000 +0200 @@ -0,0 +1,41 @@ +From: Marek Kasik <[email protected]> +Date: Thu, 21 May 2026 17:51:51 +0200 +Subject: SplashOutputDev: Fix integer overflow in tilingPatternFill +Origin: https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a +Bug-Debian: https://bugs.debian.org/1138708 +Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-10118 + +Use checkedMultiply() to check integer multiplication of surface size +and number of repetitions to avoid integer overflow and possible memory issues. + +Fixes: #1715 +--- + poppler/SplashOutputDev.cc | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc +index ff3ad0eff015..f055486c36f4 100644 +--- a/poppler/SplashOutputDev.cc ++++ b/poppler/SplashOutputDev.cc +@@ -4327,7 +4328,7 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /* + matc[2] = ctm[2]; + matc[3] = ctm[3]; + +- if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4) { ++ if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4 || checkedMultiply(surface_width, repeatX, &result_width) || checkedMultiply(surface_height, repeatY, &result_height)) { + state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]); + return false; + } +@@ -4349,8 +4350,6 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /* + kx = matc[0]; + ky = matc[3] - (matc[1] * matc[2]) / matc[0]; + } +- result_width = surface_width * repeatX; +- result_height = surface_height * repeatY; + kx = result_width / (fabs(kx) + 1); + ky = result_height / (fabs(ky) + 1); + state->concatCTM(kx, 0, 0, ky, 0, 0); +-- +2.53.0 + diff -Nru poppler-26.01.0/debian/patches/series poppler-26.01.0/debian/patches/series --- poppler-26.01.0/debian/patches/series 2026-05-31 23:12:29.000000000 +0200 +++ poppler-26.01.0/debian/patches/series 2026-06-02 19:07:37.000000000 +0200 @@ -0,0 +1 @@ +SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch
