[Buildroot] [git commit] package/poppler: security bump to v25.10.0

Julien Olivain ju.o at free.fr
Fri Oct 24 20:59:00 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=cdd1c5ca55620a4bdd1574d41fc5538d50f7359a
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html

In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream

There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.

Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
    A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
    when using -dests parameter with pdfinfo utility. By using certain
    malformed input files, an attacker could cause the utility to crash,
    leading to a denial of service.
    https://www.cve.org/CVERecord?id=CVE-2024-6239

- CVE-2024-56378:
    libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
    vulnerability within the JBIG2Bitmap::combine function in
    JBIG2Stream.cc.
    https://www.cve.org/CVERecord?id=CVE-2024-56378

- CVE-2025-32364:
    A floating-point exception in the PSStack::roll function of Poppler
    before 25.04.0 can cause an application to crash when handling
    malformed inputs associated with INT_MIN.
    https://www.cve.org/CVERecord?id=CVE-2025-32364

- CVE-2025-32365:
    Poppler before 25.04.0 allows crafted input files to trigger out-of-
    bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
    because of a misplaced isOk check.
    https://www.cve.org/CVERecord?id=CVE-2025-32365

- CVE-2025-43903:
    NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
    adbe.pkcs7.sha1 signatures on documents, resulting in potential
    signature forgeries.
    https://www.cve.org/CVERecord?id=CVE-2025-43903

- CVE-2025-50420:
    An issue in the pdfseparate utility of freedesktop poppler v25.04.0
    allows attackers to cause an infinite recursion via supplying a
    crafted PDF file. This can lead to a Denial of Service (DoS).
    https://www.cve.org/CVERecord?id=CVE-2025-50420

- CVE-2025-52886:
    Poppler is a PDF rendering library. Versions prior to 25.06.0 use
    `std::atomic_int` for reference counting. Because `std::atomic_int` is
    only 32 bits, it is possible to overflow the reference count and
    trigger a use-after-free. Version 25.06.0 patches the issue.
    https://www.cve.org/CVERecord?id=CVE-2025-52886

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o at free.fr>
---
 ...ineItem-open-Fix-crash-on-malformed-files.patch | 45 ----------------------
 package/poppler/poppler.hash                       |  4 +-
 package/poppler/poppler.mk                         | 24 +++++++-----
 3 files changed, 17 insertions(+), 56 deletions(-)

diff --git a/package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch b/package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
deleted file mode 100644
index 478759e0cc..0000000000
--- a/package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From e5cc11e0b5b867f4705fd28ff1b981c1224be1cd Mon Sep 17 00:00:00 2001
-From: Albert Astals Cid <aacid at kde.org>
-Date: Wed, 17 May 2023 22:42:05 +0200
-Subject: [PATCH] OutlineItem::open: Fix crash on malformed files
-
-Fixes #1399
-
-Upstream: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe
-[Thomas: backported to fix CVE-2023-34872]
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
----
- poppler/Outline.cc | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/poppler/Outline.cc b/poppler/Outline.cc
-index cbb6cb49..4c68be99 100644
---- a/poppler/Outline.cc
-+++ b/poppler/Outline.cc
-@@ -14,7 +14,7 @@
- // under GPL version 2 or later
- //
- // Copyright (C) 2005 Marco Pesenti Gritti <mpg at redhat.com>
--// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid <aacid at kde.org>
-+// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid <aacid at kde.org>
- // Copyright (C) 2009 Nick Jones <nick.jones at network-box.com>
- // Copyright (C) 2016 Jason Crain <jason at aquaticape.us>
- // Copyright (C) 2017 Adrian Johnson <ajohnson at redneon.com>
-@@ -483,8 +483,12 @@ void OutlineItem::open()
- {
-     if (!kids) {
-         Object itemDict = xref->fetch(ref);
--        const Object &firstRef = itemDict.dictLookupNF("First");
--        kids = readItemList(this, &firstRef, xref, doc);
-+        if (itemDict.isDict()) {
-+            const Object &firstRef = itemDict.dictLookupNF("First");
-+            kids = readItemList(this, &firstRef, xref, doc);
-+        } else {
-+            kids = new std::vector<OutlineItem *>();
-+        }
-     }
- }
- 
--- 
-2.41.0
-
diff --git a/package/poppler/poppler.hash b/package/poppler/poppler.hash
index bb07b2ee6a..34f8bcd58f 100644
--- a/package/poppler/poppler.hash
+++ b/package/poppler/poppler.hash
@@ -1,3 +1,3 @@
-# Locally calculated
-sha256  d9aa9cacdfbd0f8e98fc2b3bb008e645597ed480685757c3e7bc74b4278d15c0  poppler-22.12.0.tar.xz
+# Locally calculated after verifying GPG signature
+sha256  6b5e9bb64dabb15787a14db1675291c7afaf9387438cc93a4fb7f6aec4ee6fe0  poppler-25.10.0.tar.xz
 sha256  ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6  COPYING
diff --git a/package/poppler/poppler.mk b/package/poppler/poppler.mk
index 776fb4d566..08214d38b4 100644
--- a/package/poppler/poppler.mk
+++ b/package/poppler/poppler.mk
@@ -4,15 +4,13 @@
 #
 ################################################################################
 
-POPPLER_VERSION = 22.12.0
+POPPLER_VERSION = 25.10.0
 POPPLER_SOURCE = poppler-$(POPPLER_VERSION).tar.xz
 POPPLER_SITE = https://poppler.freedesktop.org
 POPPLER_DEPENDENCIES = fontconfig host-pkgconf
 POPPLER_LICENSE = GPL-2.0+
 POPPLER_LICENSE_FILES = COPYING
 POPPLER_CPE_ID_VENDOR = freedesktop
-# 0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
-POPPLER_IGNORE_CVES += CVE-2023-34872
 POPPLER_INSTALL_STAGING = YES
 
 POPPLER_CONF_OPTS = \
@@ -24,6 +22,7 @@ POPPLER_CONF_OPTS = \
 	-DBUILD_MANUAL_TESTS=OFF \
 	-DENABLE_GTK_DOC=OFF \
 	-DENABLE_QT6=OFF \
+	-DENABLE_GPGME=OFF \
 	-DRUN_GPERF_IF_PRESENT=OFF
 
 ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
@@ -98,9 +97,9 @@ endif
 
 ifeq ($(BR2_PACKAGE_ZLIB),y)
 POPPLER_DEPENDENCIES += zlib
-POPPLER_CONF_OPTS += -DENABLE_ZLIB=ON
+POPPLER_CONF_OPTS += -DENABLE_ZLIB_UNCOMPRESS=ON
 else
-POPPLER_CONF_OPTS += -DENABLE_ZLIB=OFF
+POPPLER_CONF_OPTS += -DENABLE_ZLIB_UNCOMPRESS=OFF
 endif
 
 ifeq ($(BR2_PACKAGE_CAIRO),y)
@@ -112,9 +111,9 @@ endif
 
 ifeq ($(BR2_PACKAGE_TIFF),y)
 POPPLER_DEPENDENCIES += tiff
-POPPLER_CONF_OPTS += -DWITH_TIFF=ON
+POPPLER_CONF_OPTS += -DENABLE_LIBTIFF=ON
 else
-POPPLER_CONF_OPTS += -DWITH_TIFF=OFF
+POPPLER_CONF_OPTS += -DENABLE_LIBTIFF=OFF
 endif
 
 ifeq ($(BR2_PACKAGE_LIBGLIB2),y)
@@ -126,9 +125,16 @@ endif
 
 ifeq ($(BR2_PACKAGE_LIBNSS),y)
 POPPLER_DEPENDENCIES += libnss
-POPPLER_CONF_OPTS += -DWITH_NSS3=ON
+POPPLER_CONF_OPTS += -DENABLE_NSS3=ON
 else
-POPPLER_CONF_OPTS += -DWITH_NSS3=OFF
+POPPLER_CONF_OPTS += -DENABLE_NSS3=OFF
+endif
+
+ifeq ($(BR2_PACKAGE_LCMS2),y)
+POPPLER_DEPENDENCIES += lcms2
+POPPLER_CONF_OPTS += -DENABLE_LCMS=ON
+else
+POPPLER_CONF_OPTS += -DENABLE_LCMS=OFF
 endif
 
 ifeq ($(BR2_SOFT_FLOAT),y)

More information about the buildroot mailing list