ELA-1468-1 poppler security update

Package	poppler
Version	0.48.0-2+deb9u7 (stretch)
Related CVEs	CVE-2017-7515 CVE-2017-14617 CVE-2018-20551 CVE-2019-9903 CVE-2020-23804 CVE-2022-37050 CVE-2022-37051 CVE-2022-37052 CVE-2022-38349 CVE-2024-56378 CVE-2025-32364 CVE-2025-32365

Multiple vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service. An attacker could make poppler-based applications crash through various means.

Additionally, boomaga (BOOklet MAnager), a virtual preview printer, was rebuilt to handle ABI-breaking changes in the poppler private API.

• CVE-2017-7515

  An uncontrolled recursion in pdfunite resulting into potential denial-of-service. Note: the fix is a pre-requisite for CVE-2019-9903’s.

• CVE-2017-14617

  Complete fix, initially fix was in 0.48.0-2+deb9u1. For reference:

  A floating point exception occurs in the ImageStream class in Stream.cc, which may lead to a potential attack when handling malicious PDF files.

• CVE-2018-20551

  A reachable Object::getString assertion allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c.

• CVE-2019-9903

  PDFDoc::markObject in PDFDoc.cc mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.

• CVE-2020-23804

  Uncontrolled Recursion in pdfinfo, and pdftops allows remote attackers to cause a denial of service via crafted input.

• CVE-2022-37050

  PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.

• CVE-2022-37051

  A reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

• CVE-2022-37052

  A reachable Object::getString assertion allows attackers to cause a denial of service due to a failure in markObject.

• CVE-2022-38349

  There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.

• CVE-2024-56378

  Out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.

• CVE-2025-32364

  A floating-point exception in the PSStack::roll function can cause an application to crash when handling malformed inputs associated with INT_MIN.

• CVE-2025-32365

  Poppler allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

For Debian 9 stretch, these problems have been fixed in version 0.48.0-2+deb9u7.

We recommend that you upgrade your poppler packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.