[From nobody Thu Jun 11 21:49:10 2026
Received: (at submit) by bugs.debian.org; 2 Oct 2025 19:31:05 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.6 required=4.0 tests=BAYES_00,FROMDEVELOPER,
 KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
 XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 150; neutral, 54; spammy,
 0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc,
 0.000-+--Hx-authordomain:debian.org,
 0.000-+--Hx-senderdomain:debian.org
Return-path: &lt;carnil@debian.org&gt;
Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:51642
 helo=eldamar.lan) by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1v4P15-006V0g-2A
 for submit@bugs.debian.org; Thu, 02 Oct 2025 19:31:05 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: poppler: CVE-2025-43718
Message-ID: &lt;175943345915.3864823.1402262259989239163.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0
Date: Thu, 02 Oct 2025 21:30:59 +0200
Delivered-To: submit@bugs.debian.org

Source: poppler
Version: 25.03.0-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;
Control: found -1 25.03.0-5

Hi,

The following vulnerability was published for poppler.

CVE-2025-43718[0]:
| Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption
| and a SIGSEGV via deeply nested structures within the metadata (such
| as GTS_PDFEVersion) of a PDF document, e.g., a regular expression
| for a long pdfsubver string. This occurs in Dict::lookup,
| Catalog::getMetadata, and associated functions in PDFDoc, with deep
| recursion in the regex executor (std::__detail::_Executor).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-43718
    https://www.cve.org/CVERecord?id=CVE-2025-43718
[1] https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]