ELA-1468-1 poppler security update
ELA-1467-1 poppler security update
[DLA 4223-1] debian-security-support update
ELA-1468-1 poppler security update
Package : poppler
Version : 0.48.0-2+deb9u7 (stretch)
Related CVEs :
CVE-2017-7515
CVE-2017-14617
CVE-2018-20551
CVE-2019-9903
CVE-2020-23804
CVE-2022-37050
CVE-2022-37051
CVE-2022-37052
CVE-2022-38349
CVE-2024-56378
CVE-2025-32364
CVE-2025-32365
Multiple vulnerabilities were discovered in poppler, a PDF rendering
library, which could result in denial of service. An attacker could
make poppler-based applications crash through various means.
Additionally, boomaga (BOOklet MAnager), a virtual preview printer,
was rebuilt to handle ABI-breaking changes in the poppler private API.
CVE-2017-7515
An uncontrolled recursion in pdfunite resulting into potential
denial-of-service. Note: the fix is a pre-requisite for
CVE-2019-9903βs.
CVE-2017-14617
Complete fix, initially fix was in 0.48.0-2+deb9u1. For reference:
A floating point exception occurs in the ImageStream class in
Stream.cc, which may lead to a potential attack when handling
malicious PDF files.
CVE-2018-20551
A reachable Object::getString assertion allows attackers to cause
a denial of service due to construction of invalid rich media
annotation assets in the AnnotRichMedia class in Annot.c.
CVE-2019-9903
PDFDoc::markObject in PDFDoc.cc mishandles dict marking, leading
to stack consumption in the function Dict::find() located at
Dict.cc, which can (for example) be triggered by passing a crafted
pdf file to the pdfunite binary.
CVE-2020-23804
Uncontrolled Recursion in pdfinfo, and pdftops allows remote
attackers to cause a denial of service via crafted input.
CVE-2022-37050
PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a
denial-of-service (application crashes with SIGABRT) by crafting a
PDF file in which the xref data structure is mishandled in
getCatalog processing. Note that this vulnerability is caused by
the incomplete patch of CVE-2018-20662.
CVE-2022-37051
A reachable abort which leads to denial of service because the
main function in pdfunite.cc lacks a stream check before saving an
embedded file.
CVE-2022-37052
A reachable Object::getString assertion allows attackers to cause
a denial of service due to a failure in markObject.
CVE-2022-38349
There is a reachable assertion in Object.h, will lead to denial of
service because PDFDoc::replacePageDict in PDFDoc.cc lacks a
stream check before saving an embedded file.
CVE-2024-56378
Out-of-bounds read vulnerability within the JBIG2Bitmap::combine
function in JBIG2Stream.cc.
CVE-2025-32364
A floating-point exception in the PSStack::roll function can cause
an application to crash when handling malformed inputs associated
with INT_MIN.
CVE-2025-32365
Poppler allows crafted input files to trigger out-of-bounds reads
in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of
a misplaced isOk check.
ELA-1468-1 poppler security update
ELA-1467-1 poppler security update
Package : poppler
Version : 0.71.0-5+deb10u4 (buster)
Related CVEs :
CVE-2022-37052
CVE-2022-38349
CVE-2024-56378
CVE-2025-32364
CVE-2025-32365
Multiple vulnerabilities were discovered in poppler, a PDF rendering
library, which could result in denial of service. An attacker could
make poppler-based applications crash through various means.
CVE-2022-37052
A reachable Object::getString assertion allows attackers to cause
a denial of service due to a failure in markObject.
CVE-2022-38349
There is a reachable assertion in Object.h, will lead to denial of
service because PDFDoc::replacePageDict in PDFDoc.cc lacks a
stream check before saving an embedded file.
CVE-2024-56378
Out-of-bounds read vulnerability within the JBIG2Bitmap::combine
function in JBIG2Stream.cc.
CVE-2025-32364
A floating-point exception in the PSStack::roll function can cause
an application to crash when handling malformed inputs associated
with INT_MIN.
CVE-2025-32365
Poppler allows crafted input files to trigger out-of-bounds reads
in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of
a misplaced isOk check.
ELA-1467-1 poppler security update
[SECURITY] [DLA 4223-1] debian-security-support update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4223-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano RincΓ³n
June 21, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : debian-security-support
Version : 1:11+2025.06.21
Debian Bug : 1100929 1106203
debian-security-support, the Debian security support coverage checker, has been
updated in bullseye-security to mark the end of security support of the
following package:
* odoo
As well, the security support for the following packages has been
limited:
* gobgp
* musescore2
* musescore3
Moreover, due to a bug, packages whose binary version differed from their
source package version were not correctly identified by
check-security-support.
For Debian 11 bullseye, these problems have been fixed in version
1:11+2025.06.21.
We recommend that you upgrade your debian-security-support packages.
For the detailed security status of debian-security-support please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/debian-security-support
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
