openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
buildroot/package/poppler
T
History
Titouan Christophe cdd1c5ca55 package/poppler: security bump to v25.10.0 
This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html

In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream

There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.

Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
    A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
    when using -dests parameter with pdfinfo utility. By using certain
    malformed input files, an attacker could cause the utility to crash,
    leading to a denial of service.
    https://www.cve.org/CVERecord?id=CVE-2024-6239

- CVE-2024-56378:
    libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
    vulnerability within the JBIG2Bitmap::combine function in
    JBIG2Stream.cc.
    https://www.cve.org/CVERecord?id=CVE-2024-56378

- CVE-2025-32364:
    A floating-point exception in the PSStack::roll function of Poppler
    before 25.04.0 can cause an application to crash when handling
    malformed inputs associated with INT_MIN.
    https://www.cve.org/CVERecord?id=CVE-2025-32364

- CVE-2025-32365:
    Poppler before 25.04.0 allows crafted input files to trigger out-of-
    bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
    because of a misplaced isOk check.
    https://www.cve.org/CVERecord?id=CVE-2025-32365

- CVE-2025-43903:
    NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
    adbe.pkcs7.sha1 signatures on documents, resulting in potential
    signature forgeries.
    https://www.cve.org/CVERecord?id=CVE-2025-43903

- CVE-2025-50420:
    An issue in the pdfseparate utility of freedesktop poppler v25.04.0
    allows attackers to cause an infinite recursion via supplying a
    crafted PDF file. This can lead to a Denial of Service (DoS).
    https://www.cve.org/CVERecord?id=CVE-2025-50420

- CVE-2025-52886:
    Poppler is a PDF rendering library. Versions prior to 25.06.0 use
    `std::atomic_int` for reference counting. Because `std::atomic_int` is
    only 32 bits, it is possible to overflow the reference count and
    trigger a use-after-free. Version 25.06.0 patches the issue.
    https://www.cve.org/CVERecord?id=CVE-2025-52886

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
2025-10-24 22:59:00 +02:00
..
Config.in
package/poppler: use HTTPS for upstream URL
2022-01-09 12:21:50 +01:00
poppler.hash
poppler.mk