[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2025-43903/poppler: Add note that it might cause regression
Adrian Bunk (@bunk)
bunk at debian.org
Mon Apr 28 10:34:14 BST 2025
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ab4aedce by Adrian Bunk at 2025-04-28T12:30:51+03:00
CVE-2025-43903/poppler: Add note that it might cause regression
- - - - -
8130935a by Adrian Bunk at 2025-04-28T12:34:00+03:00
Reserve DLA-4141-1 for poppler
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1483,8 +1483,10 @@ CVE-2025-2866 (Improper Verification of Cryptographic Signature vulnerability in
CVE-2025-43903 (NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the ...)
- poppler 25.03.0-4 (bug #1103545)
[bookworm] - poppler <no-dsa> (Minor issue)
+ [bullseye] - poppler <postponed> (Minor issue)
NOTE: Introduced with: https://gitlab.freedesktop.org/poppler/poppler/-/commit/c7c0207b1cfe49a4353d6cda93dbebef4508138f (poppler-0.42.0)
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669 (poppler-25.04.0)
+ NOTE: Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3
CVE-2025-3795 (A vulnerability was found in DaiCuo 1.3.13. It has been rated as probl ...)
NOT-FOR-US: DaiCuo
CVE-2025-3792 (A vulnerability, which was classified as critical, has been found in S ...)
@@ -41117,7 +41119,6 @@ CVE-2024-XXXX [RUSTSEC-2024-0429]
CVE-2024-56378 (libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vul ...)
- poppler 24.08.0-4 (bug #1091322)
[bookworm] - poppler <no-dsa> (Minor issue)
- [bullseye] - poppler <postponed> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e
CVE-2024-56375 (An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6 ...)
@@ -235953,7 +235954,6 @@ CVE-2022-38350
RESERVED
CVE-2022-38349 (An issue was discovered in Poppler 22.08.0. There is a reachable asser ...)
- poppler 22.12.0-2
- [bullseye] - poppler <no-dsa> (Minor issue)
[buster] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1282
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4564a002bcb6094cc460bc0d5ddff9423fe6dd28 (poppler-22.09.0)
@@ -239358,20 +239358,17 @@ CVE-2022-37053 (TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection vi
NOT-FOR-US: Trendnet
CVE-2022-37052 (A reachable Object::getString assertion in Poppler 22.07.0 allows atta ...)
- poppler 22.08.0-2
- [bullseye] - poppler <no-dsa> (Minor issue)
[buster] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1278
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/8677500399fc2548fa816b619580c2c07915a98c (poppler-22.08.0)
CVE-2022-37051 (An issue was discovered in Poppler 22.07.0. There is a reachable abort ...)
{DLA-3620-1}
- poppler 22.08.0-2
- [bullseye] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1276
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4631115647c1e4f0482ffe0491c2f38d2231337b (poppler-22.08.0)
CVE-2022-37050 (In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers t ...)
{DLA-3620-1}
- poppler 22.08.0-2
- [bullseye] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1274
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/dcd5bd8238ea448addd102ff045badd0aca1b990 (poppler-22.08.0)
CVE-2022-37049 (The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a ...)
@@ -352765,14 +352762,12 @@ CVE-2020-36025
CVE-2020-36024 (An issue was discovered in freedesktop poppler version 20.12.1, allows ...)
{DLA-3528-1}
- poppler 22.08.0-2
- [bullseye] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1016
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/748
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/3cc28b66132e66ed2dfe13a9a285ac41ac7267d5 (poppler-21.01.0)
CVE-2020-36023 (An issue was discovered in freedesktop poppler version 20.12.1, allows ...)
{DLA-3528-1}
- poppler 22.08.0-2
- [bullseye] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/744
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/238dc045beeeb1eb619f3fb6cb699ba36813222d (poppler-21.01.0)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[28 Apr 2025] DLA-4141-1 poppler - security update
+ {CVE-2020-36023 CVE-2020-36024 CVE-2022-37050 CVE-2022-37051 CVE-2022-37052 CVE-2022-38349 CVE-2024-56378 CVE-2025-32364 CVE-2025-32365}
+ [bullseye] - poppler 20.09.0-3.1+deb11u2
[27 Apr 2025] DLA-4140-1 libsoup2.4 - security update
{CVE-2025-2784 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 CVE-2025-32914}
[bullseye] - libsoup2.4 2.72.0-2+deb11u2
=====================================
data/dla-needed.txt
=====================================
@@ -289,11 +289,6 @@ php-twig
NOTE: 20250209: Added by Front-Desk (apo)
NOTE: 20250209: Vulnerable code is in src/Node/Expression/NullCoalesceExpression.php (apo)
--
-poppler (Adrian Bunk)
- NOTE: 20250412: Added by Front-Desk (Beuc)
- NOTE: 20250412: Fix postponed CVEs (Beuc/front-desk)
- NOTE: 20250413: bookworm update submitted, bullseye will be published after that (bunk)
---
python-flask-cors
NOTE: 20250422: Added by Front-Desk (rouca)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/81ecee61bd078df2e4997865612c225459d922a2...8130935a11b96afc9e603bd01c9d84a4a4076f65
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/81ecee61bd078df2e4997865612c225459d922a2...8130935a11b96afc9e603bd01c9d84a4a4076f65
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250428/a49327a5/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list