Bug#1110606: cairo: CVE-2025-50422

Salvatore Bonaccorso carnil at debian.org
Sat Aug 9 13:45:28 BST 2025 

Hi Simon,

I'm impressed about your speed and diligence in treating bugreports,
kudos and you have my full repsect :)

On Sat, Aug 09, 2025 at 01:02:18PM +0100, Simon McVittie wrote:
> Control: tags -1 + moreinfo
> 
> On Sat, 09 Aug 2025 at 11:47:40 +0200, Salvatore Bonaccorso wrote:
> > CVE-2025-50422[0]:
> > | An issue was discovered in freedesktop poppler v25.04.0. The heap
> > | memory containing PDF stream objects is not cleared upon program
> > | exit, allowing attackers to obtain sensitive PDF content via a
> > | memory dump.
> 
> This seems like a bad description of the problem. The reporter seems to have
> originally claimed that the existence of possibly-sensitive data in a core
> dump is a security vulnerability, which ... no. Core dumps contain whatever
> was in RAM, that's just how they work, and if that's considered to be a
> security vulnerability in a particular scenario then that scenario should
> disable core dumps.

I do agree, the bugreport just contains fetching the (current) MITRE
CVE description to include it in the bugreport.
> 
> It seems like the better description might be something like: a crafted
> input file fed to poppler's pdftoppm can cause an assertion failure, leading
> to denial of service (?) and possibly a worse impact (?).

Ok. FWIW, I asked mitre that they can re-evaluate the CVE entry and
maybe associate it rather with cairo, as the merge request is targeted
there.

> The original reporter claims on their Github page [1] that "The vendor
> (freedesktop, maintainer of Poppler) has acknowledged the issue and fixed
> the bug. The fix has been committed in their official repository." but I see
> no evidence of that, only two unreviewed and unmerged merge-requests in one
> of poppler's dependencies [3] [4].
> 
> I think we should be cautious about applying unreviewed changes for unclear
> reasons. If someone (perhaps the CNA that created this CVE ID) has a better
> description of what security problem is being addressed, then they should
> publish it.

Fully agreed. The Debian bugreport is not meant to expedit fixes
applying in Debian but rather have a mapping in bugreports downstream
to upstream so we can follow their status. I fully support *not* to
apply any fixes before they are clearly vetted/acked and ideally
merged upstream.

> I also can't help noticing that
> https://www.cve.org/CVERecord?id=CVE-2025-50422 links to "freedesktop.com"
> and "poppler.com" neither of which appears to be freedesktop.org or poppler,
> which seems like it indicates a lack of research and critical thinking.

Yes that's very odd.

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list