helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

poppler: fix CVE-2025-52886

Browse Source 
Poppler is a PDF rendering library. Versions prior to 25.06.0
use `std::atomic_int` for reference counting. Because
`std::atomic_int` is only 32 bits, it is possible to overflow
the reference count and trigger a use-after-free. Version 25.06.0
patches the issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-52886
https://security-tracker.debian.org/tracker/CVE-2025-52886

Upstream patches:
3449a16d3b
ac36affcc8

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yogita Urade 2025-07-11 16:58:42 +05:30 committed by Armin Kuster
parent 21e370fd3c
commit c8a1b909ec
3 changed files with 4385 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4325
meta-oe/recipes-support/poppler/poppler/CVE-2025-52886-0001.patch Normal file
View File

File diff suppressed because it is too large Load Diff

58
meta-oe/recipes-support/poppler/poppler/CVE-2025-52886-0002.patch Normal file
View File

@ -0,0 +1,58 @@
From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Tue, 3 Jun 2025 00:35:19 +0200
Subject: [PATCH] Limit ammount of annots per document/page
CVE: CVE-2025-52886
Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
poppler/Annot.cc | 4 ++++
poppler/Page.cc | 16 ++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/poppler/Annot.cc b/poppler/Annot.cc
index b98df5d..3e9dfac 100644
--- a/poppler/Annot.cc
+++ b/poppler/Annot.cc
@@ -7450,6 +7450,10 @@ Annots::Annots(PDFDoc *docA, int page, Object *annotsObj)
const Object &obj2 = annotsObj->arrayGetNF(i);
std::shared_ptr<Annot> annot = createAnnot(std::move(obj1), &obj2);
if (annot) {
+ if (annot.use_count() > 100000) {
+ error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
+ break;
+ }
if (annot->isOk()) {
annot->setPage(page, false); // Don't change /P
appendAnnot(annot);
diff --git a/poppler/Page.cc b/poppler/Page.cc
index 234f124..858b128 100644
--- a/poppler/Page.cc
+++ b/poppler/Page.cc
@@ -288,6 +288,22 @@ Page::Page(PDFDoc *docA, int numA, Object &&pageDict, Ref pageRefA, PageAttrs *a
goto err2;
}
+ if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
+ goto err2;
+ }
+ if (annotsObj.isRef()) {
+ auto resolvedObj = getAnnotsObject();
+ if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
+ goto err2;
+ }
+ if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
+ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
+ goto err2;
+ }
+ }
+
// contents
contents = pageObj.dictLookupNF("Contents").copy();
if (!(contents.isRef() || contents.isArray() || contents.isNull())) {
--
2.40.0

2
meta-oe/recipes-support/poppler/poppler_23.04.0.bb
View File

@ -16,6 +16,8 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
file://CVE-2025-32365.patch \
file://CVE-2025-43903-0001.patch \
file://CVE-2025-43903-0002.patch \
file://CVE-2025-52886-0001.patch \
file://CVE-2025-52886-0002.patch \
"
SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"