| Package | poppler |
|---|---|
| Version | 0.71.0-5+deb10u4 (buster) |
| Related CVEs | CVE-2022-37052 CVE-2022-38349 CVE-2024-56378 CVE-2025-32364 CVE-2025-32365 |
Multiple vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service. An attacker could make poppler-based applications crash through various means.
-
CVE-2022-37052
A reachable Object::getString assertion allows attackers to cause a denial of service due to a failure in markObject.
-
CVE-2022-38349
There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.
-
CVE-2024-56378
Out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
-
CVE-2025-32364
A floating-point exception in the PSStack::roll function can cause an application to crash when handling malformed inputs associated with INT_MIN.
-
CVE-2025-32365
Poppler allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
For Debian 10 buster, these problems have been fixed in version 0.71.0-5+deb10u4.
We recommend that you upgrade your poppler packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.