[automatic] Publish 11 advisories for Poppler_jll

advisories/published/2025/JLSEC-0000-mns3412jh-fj93s3.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3412jh-fj93s3"
+modified = 2025-10-17T14:50:10.589Z
+upstream = ["CVE-2021-30860"]
+references = ["http://seclists.org/fulldisclosure/2021/Sep/25", "http://seclists.org/fulldisclosure/2021/Sep/26", "http://seclists.org/fulldisclosure/2021/Sep/27", "http://seclists.org/fulldisclosure/2021/Sep/28", "http://seclists.org/fulldisclosure/2021/Sep/38", "http://seclists.org/fulldisclosure/2021/Sep/39", "http://seclists.org/fulldisclosure/2021/Sep/40", "http://seclists.org/fulldisclosure/2021/Sep/50", "http://www.openwall.com/lists/oss-security/2022/09/02/11", "https://security.gentoo.org/glsa/202209-21", "https://support.apple.com/en-us/HT212804", "https://support.apple.com/en-us/HT212805", "https://support.apple.com/en-us/HT212806", "https://support.apple.com/en-us/HT212807", "https://support.apple.com/kb/HT212824", "http://seclists.org/fulldisclosure/2021/Sep/25", "http://seclists.org/fulldisclosure/2021/Sep/26", "http://seclists.org/fulldisclosure/2021/Sep/27", "http://seclists.org/fulldisclosure/2021/Sep/28", "http://seclists.org/fulldisclosure/2021/Sep/38", "http://seclists.org/fulldisclosure/2021/Sep/39", "http://seclists.org/fulldisclosure/2021/Sep/40", "http://seclists.org/fulldisclosure/2021/Sep/50", "http://www.openwall.com/lists/oss-security/2022/09/02/11", "https://security.gentoo.org/glsa/202209-21", "https://support.apple.com/en-us/HT212804", "https://support.apple.com/en-us/HT212805", "https://support.apple.com/en-us/HT212806", "https://support.apple.com/en-us/HT212807", "https://support.apple.com/kb/HT212824"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["< 23.12.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-30860"
+imported = 2025-10-17T14:50:10.589Z
+modified = 2025-02-28T14:43:40.400Z
+published = 2021-08-24T19:15:14.370Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-30860"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-30860"
+```
+
+# An integer overflow was addressed with improved input validation
+
+An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
+

advisories/published/2025/JLSEC-0000-mns3412jk-15jknih.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3412jk-15jknih"
+modified = 2025-10-17T14:50:10.592Z
+upstream = ["CVE-2022-38171"]
+references = ["http://www.openwall.com/lists/oss-security/2022/09/02/11", "http://www.xpdfreader.com/security-fixes.html", "https://dl.xpdfreader.com/xpdf-4.04.tar.gz", "https://github.com/jeffssh/CVE-2021-30860", "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md", "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", "https://www.cve.org/CVERecord?id=CVE-2021-30860", "http://www.openwall.com/lists/oss-security/2022/09/02/11", "http://www.xpdfreader.com/security-fixes.html", "https://dl.xpdfreader.com/xpdf-4.04.tar.gz", "https://github.com/jeffssh/CVE-2021-30860", "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md", "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", "https://www.cve.org/CVERecord?id=CVE-2021-30860"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["< 23.12.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-38171"
+imported = 2025-10-17T14:50:10.592Z
+modified = 2024-11-21T07:15:56.110Z
+published = 2022-08-22T19:15:11.060Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-38171"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-38171"
+```
+
+# Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextR...
+
+Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).
+

advisories/published/2025/JLSEC-0000-mns3412jl-y0z0kr.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3412jl-y0z0kr"
+modified = 2025-10-17T14:50:10.593Z
+upstream = ["CVE-2022-38784"]
+references = ["http://www.openwall.com/lists/oss-security/2022/09/02/11", "https://github.com/jeffssh/CVE-2021-30860", "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md", "https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1261/diffs?commit_id=27354e9d9696ee2bc063910a6c9a6b27c5184a52", "https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BGY72LBJMFAKQWC2XH4MRPIGPQLXTFL6/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E5Z2677EQUWVHJLGSH5DQX53EK6MY2M2/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J546EJUKUOPWA3JSLP7DYNBAU3YGNCCW/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLKN3HJKZSGEEKOF57DM7Q3IB74HP5VW/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/", "https://poppler.freedesktop.org/releases.html", "https://security.gentoo.org/glsa/202209-21", "https://www.cve.org/CVERecord?id=CVE-2022-38171", "https://www.debian.org/security/2022/dsa-5224", "http://www.openwall.com/lists/oss-security/2022/09/02/11", "https://github.com/jeffssh/CVE-2021-30860", "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md", "https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1261/diffs?commit_id=27354e9d9696ee2bc063910a6c9a6b27c5184a52", "https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BGY72LBJMFAKQWC2XH4MRPIGPQLXTFL6/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E5Z2677EQUWVHJLGSH5DQX53EK6MY2M2/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J546EJUKUOPWA3JSLP7DYNBAU3YGNCCW/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLKN3HJKZSGEEKOF57DM7Q3IB74HP5VW/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/", "https://poppler.freedesktop.org/releases.html", "https://security.gentoo.org/glsa/202209-21", "https://www.cve.org/CVERecord?id=CVE-2022-38171", "https://www.debian.org/security/2022/dsa-5224"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["< 23.12.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-38784"
+imported = 2025-10-17T14:50:10.593Z
+modified = 2024-11-21T07:17:04.843Z
+published = 2022-08-30T03:15:07.307Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-38784"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-38784"
+```
+
+# Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Strea...
+
+Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.
+

advisories/published/2025/JLSEC-0000-mns3412jm-657qpt.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3412jm-657qpt"
+modified = 2025-10-17T14:50:10.594Z
+upstream = ["CVE-2023-34872"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XXL3L6RJOTLGCN7GLH2OLLNF4FJ4T7I/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ3NYJ43U2MA7COKGMJDARZUAAOP45D4/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFBT75QHBWNMSDAHSXZQ2I3PBJWID36K/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3H3GOWFE3C7543GMEN7LY4GWMWJ7D2G/", "https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XXL3L6RJOTLGCN7GLH2OLLNF4FJ4T7I/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ3NYJ43U2MA7COKGMJDARZUAAOP45D4/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFBT75QHBWNMSDAHSXZQ2I3PBJWID36K/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3H3GOWFE3C7543GMEN7LY4GWMWJ7D2G/"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["< 23.12.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2023-34872"
+imported = 2025-10-17T14:50:10.594Z
+modified = 2025-07-09T14:15:24.977Z
+published = 2023-07-31T14:15:10.427Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-34872"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-34872"
+```
+
+# A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denia...
+
+A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open.
+

advisories/published/2025/JLSEC-0000-mns3412jt-7xg94t.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3412jt-7xg94t"
+modified = 2025-10-17T14:50:10.601Z
+upstream = ["CVE-2024-56378"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/blob/30eada0d2bceb42c2d2a87361339063e0b9bea50/CMakeLists.txt#L621", "https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2024-56378"
+imported = 2025-10-17T14:50:10.601Z
+modified = 2025-10-10T18:31:11.853Z
+published = 2024-12-23T00:15:05.133Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-56378"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-56378"
+```
+
+# libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bit...
+
+libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
+

advisories/published/2025/JLSEC-0000-mns3412jt-vclwv9.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3412jt-vclwv9"
+modified = 2025-10-17T14:50:10.601Z
+upstream = ["CVE-2024-6239"]
+references = ["https://access.redhat.com/errata/RHSA-2024:5305", "https://access.redhat.com/errata/RHSA-2024:9167", "https://access.redhat.com/security/cve/CVE-2024-6239", "https://bugzilla.redhat.com/show_bug.cgi?id=2293594", "https://access.redhat.com/security/cve/CVE-2024-6239", "https://bugzilla.redhat.com/show_bug.cgi?id=2293594"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["< 24.6.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-6239"
+imported = 2025-10-17T14:50:10.601Z
+modified = 2024-11-21T09:49:15.570Z
+published = 2024-06-21T14:15:14.007Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-6239"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-6239"
+```
+
+# A flaw was found in the Poppler's Pdfinfo utility
+
+A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.
+

advisories/published/2025/JLSEC-0000-mns3413ny-8uecmm.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3413ny-8uecmm"
+modified = 2025-10-17T14:50:12.046Z
+upstream = ["CVE-2025-32364"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/commit/d87bc726c7cc98f8c26b60ece5f20236e9de1bc3", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1574"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-32364"
+imported = 2025-10-17T14:50:12.046Z
+modified = 2025-10-09T14:00:04.740Z
+published = 2025-04-05T22:15:18.337Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-32364"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-32364"
+```
+
+# A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an appl...
+
+A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.
+

advisories/published/2025/JLSEC-0000-mns3413v6-u0yfix.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3413v6-u0yfix"
+modified = 2025-10-17T14:50:12.306Z
+upstream = ["CVE-2025-32365"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/issues/1577", "https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1792"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-32365"
+imported = 2025-10-17T14:50:12.306Z
+modified = 2025-10-09T13:51:48.690Z
+published = 2025-04-05T22:15:19.010Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-32365"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-32365"
+```
+
+# Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap:...
+
+Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
+

advisories/published/2025/JLSEC-0000-mns3413v8-6uzkb.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3413v8-6uzkb"
+modified = 2025-10-17T14:50:12.308Z
+upstream = ["CVE-2025-43903"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-43903"
+imported = 2025-10-17T14:50:12.308Z
+modified = 2025-10-06T16:37:14.947Z
+published = 2025-04-18T21:15:44.673Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-43903"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-43903"
+```
+
+# NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on ...
+
+NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
+

advisories/published/2025/JLSEC-0000-mns3413vs-194h24t.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns3413vs-194h24t"
+modified = 2025-10-17T14:50:12.328Z
+upstream = ["CVE-2025-52886"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/commit/04bd91684ed41d67ae0f10cde0660e4ed74ac203", "https://gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581", "https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828", "https://securitylab.github.com/advisories/GHSL-2025-054_poppler/"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-52886"
+imported = 2025-10-17T14:50:12.328Z
+modified = 2025-10-10T19:52:47.103Z
+published = 2025-07-02T16:15:28.933Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-52886"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-52886"
+```
+
+# Poppler is a PDF rendering library
+
+Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.
+

advisories/published/2025/JLSEC-0000-mns341405-1d4tk37.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns341405-1d4tk37"
+modified = 2025-10-17T14:50:12.485Z
+upstream = ["CVE-2025-50420"]
+references = ["http://freedesktop.com", "http://poppler.com", "https://github.com/Landw-hub/CVE-2025-50420"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-50420"
+imported = 2025-10-17T14:50:12.485Z
+modified = 2025-10-09T17:43:54.350Z
+published = 2025-08-04T17:15:30.700Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-50420"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-50420"
+```
+
+# An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an inf...
+
+An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).
+