Bug#1110606: cairo: CVE-2025-50422

Simon McVittie smcv at debian.org
Sat Aug 9 13:02:18 BST 2025 

Control: tags -1 + moreinfo

On Sat, 09 Aug 2025 at 11:47:40 +0200, Salvatore Bonaccorso wrote:
>CVE-2025-50422[0]:
>| An issue was discovered in freedesktop poppler v25.04.0. The heap
>| memory containing PDF stream objects is not cleared upon program
>| exit, allowing attackers to obtain sensitive PDF content via a
>| memory dump.

This seems like a bad description of the problem. The reporter seems to 
have originally claimed that the existence of possibly-sensitive data in 
a core dump is a security vulnerability, which ... no. Core dumps 
contain whatever was in RAM, that's just how they work, and if that's 
considered to be a security vulnerability in a particular scenario then 
that scenario should disable core dumps.

It seems like the better description might be something like: a crafted 
input file fed to poppler's pdftoppm can cause an assertion failure, 
leading to denial of service (?) and possibly a worse impact (?).

The original reporter claims on their Github page [1] that "The vendor 
(freedesktop, maintainer of Poppler) has acknowledged the issue and 
fixed the bug. The fix has been committed in their official repository." 
but I see no evidence of that, only two unreviewed and unmerged 
merge-requests in one of poppler's dependencies [3] [4].

I think we should be cautious about applying unreviewed changes for 
unclear reasons. If someone (perhaps the CNA that created this CVE ID) 
has a better description of what security problem is being addressed, 
then they should publish it.

I also can't help noticing that 
https://www.cve.org/CVERecord?id=CVE-2025-50422 links to 
"freedesktop.com" and "poppler.com" neither of which appears to be 
freedesktop.org or poppler, which seems like it indicates a lack of 
research and critical thinking.

>[0] https://security-tracker.debian.org/tracker/CVE-2025-50422
>    https://www.cve.org/CVERecord?id=CVE-2025-50422
>[1] https://github.com/Landw-hub/CVE-2025-50422
>[2] https://gitlab.freedesktop.org/poppler/poppler/-/issues/1591
>[3] https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/621

[4] https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/623

More information about the pkg-gnome-maintainers mailing list