[SECURITY] [DLA 4141-1] poppler security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4141-1] poppler security update
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 28 Apr 2025 12:42:09 +0300
Message-id: <[🔎] aA9NcdsJH+SPmw6f@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4141-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
April 28, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : poppler
Version        : 20.09.0-3.1+deb11u2
CVE ID         : CVE-2020-36023 CVE-2020-36024 CVE-2022-37050 CVE-2022-37051 
                 CVE-2022-37052 CVE-2022-38349 CVE-2024-56378 CVE-2025-32364 
                 CVE-2025-32365
Debian Bug     : 1091322 1102190 1102191

Multiple vulnerabilities have been fixed in the PDF rendering
library poppler.

CVE-2020-36023

    Infinite loop in FoFiType1C::cvtGlyph

CVE-2020-36024

    NULL dereference in FoFiType1C::convertToType1

CVE-2022-37050

    Crash in PDFDoc::savePageAs

CVE-2022-37051

    Crash in the pdfunite tool

CVE-2022-37052

    Reachable assert on XRef::add failure

CVE-2022-38349

    pdfunite crash on broken files

CVE-2024-56378

    Out-of-bounds read in JBIG2Bitmap::combine

CVE-2025-32364

    Floating point exception in PSStack::roll

CVE-2025-32365

    Out-of-bounds read in JBIG2:Bitmap::combine

For Debian 11 bullseye, these problems have been fixed in version
20.09.0-3.1+deb11u2.

We recommend that you upgrade your poppler packages.

For the detailed security status of poppler please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/poppler

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmgPTXEACgkQiNJCh6LY
mLHL2BAAwzje2xhT1auBgH7sDX8I5zS+p3J4kSn2vfuyvNIXFBDWJjEoHeQNoeMg
AFLf2QPF2cWSleY6wO0M67FqpyacaObz9o+d5K8KKmahlTAfd9eHKxcko0o9txBi
T5LffJMACB8mCLd+mwpy+zuAr1hPAnrC0DJ3oNoL7ML9kgXlrSLZnyVAAbhwQzWH
LQZqfEKT8QwXuRnyoG/adM6CTfgGhXrpAP4M1erMz2tVwnkPm7W36rGx2iDaBlIX
5qNwJ5NLA5dgXL/XCZdoSrRq7rlQ+wXEEfP+2uNO/PnZALH53TDVOYPJ0tsmnbQ9
Tk1LFAX2VBFc2i1iqFHTyaiyUAnZbanR9VUj2e+deqzKigSbdcSLaKzYeBcoW6iu
gojE+6vzYMTNKGbjXtF7lbEaYTic1oyvTUYZgT2rdNN+oeGiXw3FTT5TN7wxbR0y
3tCV0pdZ//6AtQjqx2lYBz+BhIgm7Ktfm8m7JnCg5i7iqeSHBLpCGNV7sqXBoQor
+6V6I7d/5WMekFJEmFvksInX0CsWVnZmoCx6FtC+g95R7YFPvofIL38peuRGL1mL
z+6/VHWhWR9NCBoNSUpv0qWngAshm5kqTBNprQzMLxsmM2k9dUQFbHbu9gvUAqui
kKhObdhJP2iQpSPqZPXQEFNQEcmCtp4nj7DqDvtGH7yiEwGhICw=
=V3W4
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4140-1] libsoup2.4 security update
Next by Date: [SECURITY] [DLA 4142-1] libraw security update
Previous by thread: [SECURITY] [DLA 4140-1] libsoup2.4 security update
Next by thread: [SECURITY] [DLA 4142-1] libraw security update
Index(es):
- Date
- Thread