Opened 8 months ago

Closed 8 months ago

Last modified 7 months ago

#21675 closed enhancement (fixed)

poppler-25.06.0

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: elevated Milestone: 12.4
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New monthly version.

Change History (5)

comment:1 by Bruce Dubbs, 8 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 8 months ago

Release 25.06.0:

core:

  • Fix writing dates back to file
  • Internal code improvements
  • Fix crashes in malformed documents

glib:

  • Add the ink annotation type
  • Add missing autopointers definitions

utils:

  • pdfsig: Add assert-signer feature
  • pdfsig: Return error code on error

comment:3 by Bruce Dubbs, 8 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commits 

81d0efd838 Update to poppler-25.06.0.
4a9b840f1e Update to hwdata-0.396.
caf0f4982d Update to curl-8.14.1.

comment:4 by Douglas R. Reno, 7 months ago

Priority: normalelevated

There was a security fix hidden in here. I originally thought it was fixed in 25.07.0, but the mail from oss-security mentions 25.06.0. 

Summary

poppler uses std::atomic_int for reference counting. Because it is only 32 bits,
it is possible to overflow the reference count and trigger a use-after-free.

Project

poppler

Tested Version

25.02.0

Details

Use-after-free due to reference count integer overflow (GHSL-2025-054)

poppler uses the type std::atomic_int for reference counting in four locations:

    Annot.h
    Array.h
    Dict.h
    Stream.h

Because std::atomic_int is only 32 bits, it’s possible to overflow one of these
reference counts, which can lead to a use-after-free memory corruption
vulnerability.

We have included a proof of concept which triggers an integer overflow on the
reference count in Annot.h. The poc file is only 3.1KB in size, but contains a
stream which decompresses to an array of annotations of size 0x1000000. That
array is referenced by 0x100 pages, which causes the reference count on the
annotation to be incremented 0x100000000 times, so it wraps around to zero and
the annotation is deleted. Run the poc like this:

    pdftohtml GHSL-2025-054_poppler_refcount.pdf

Impact

It’s possible that this use-after-free bug could be exploited to achieve code
execution in poppler. However, in our testing it took 12 hours to trigger the
use-after-free, so in practice the risk of exploitation is low.

CWEs

    CWE-190: “Integer Overflow or Wraparound”
    CWE-416: “Use After Free”
    CWE-911: “Improper Update of Reference Count”

CVE

    CVE-2025-52886

comment:5 by Douglas R. Reno, 7 months ago

SA-12.3-071 issued

Note: See TracTickets for help on using tickets.