[Buildroot] [PATCH] package/poppler: bump to v25.10.0

Thomas Perale thomas.perale at mind.be
Thu Oct 30 08:23:42 UTC 2025 

In reply of:
> This contains many bug and security fixes since v22.12.0.
> See the release notes: https://poppler.freedesktop.org/releases.html
> 
> In addition:
> - Drop patch that has been applied upstream
> - Update a few cmake configuration options that changed upstream
> 
> There is currently a build failure when enabling gpgme, so disable it
> unconditionally for now.
> 
> Finally, this fixes the following vulnerabilities:
> - CVE-2024-6239:
>     A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
>     when using -dests parameter with pdfinfo utility. By using certain
>     malformed input files, an attacker could cause the utility to crash,
>     leading to a denial of service.
>     https://www.cve.org/CVERecord?id=CVE-2024-6239
> 
> - CVE-2024-56378:
>     libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
>     vulnerability within the JBIG2Bitmap::combine function in
>     JBIG2Stream.cc.
>     https://www.cve.org/CVERecord?id=CVE-2024-56378
> 
> - CVE-2025-32364:
>     A floating-point exception in the PSStack::roll function of Poppler
>     before 25.04.0 can cause an application to crash when handling
>     malformed inputs associated with INT_MIN.
>     https://www.cve.org/CVERecord?id=CVE-2025-32364
> 
> - CVE-2025-32365:
>     Poppler before 25.04.0 allows crafted input files to trigger out-of-
>     bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
>     because of a misplaced isOk check.
>     https://www.cve.org/CVERecord?id=CVE-2025-32365
> 
> - CVE-2025-43903:
>     NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
>     adbe.pkcs7.sha1 signatures on documents, resulting in potential
>     signature forgeries.
>     https://www.cve.org/CVERecord?id=CVE-2025-43903
> 
> - CVE-2025-50420:
>     An issue in the pdfseparate utility of freedesktop poppler v25.04.0
>     allows attackers to cause an infinite recursion via supplying a
>     crafted PDF file. This can lead to a Denial of Service (DoS).
>     https://www.cve.org/CVERecord?id=CVE-2025-50420
> 
> - CVE-2025-52886:
>     Poppler is a PDF rendering library. Versions prior to 25.06.0 use
>     `std::atomic_int` for reference counting. Because `std::atomic_int` is
>     only 32 bits, it is possible to overflow the reference count and
>     trigger a use-after-free. Version 25.06.0 patches the issue.
>     https://www.cve.org/CVERecord?id=CVE-2025-52886
> 
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>

Applied to 2025.02.x & 2025.08.x. Thanks

> ---
>  ...em-open-Fix-crash-on-malformed-files.patch | 45 -------------------
>  package/poppler/poppler.hash                  |  4 +-
>  package/poppler/poppler.mk                    | 24 ++++++----
>  3 files changed, 17 insertions(+), 56 deletions(-)
>  delete mode 100644 package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
> 
> diff --git a/package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch b/package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
> deleted file mode 100644
> index 478759e0cc..0000000000
> --- a/package/poppler/0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -From e5cc11e0b5b867f4705fd28ff1b981c1224be1cd Mon Sep 17 00:00:00 2001
> -From: Albert Astals Cid <aacid at kde.org>
> -Date: Wed, 17 May 2023 22:42:05 +0200
> -Subject: [PATCH] OutlineItem::open: Fix crash on malformed files
> -
> -Fixes #1399
> -
> -Upstream: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe
> -[Thomas: backported to fix CVE-2023-34872]
> -Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> ----
> - poppler/Outline.cc | 10 +++++++---
> - 1 file changed, 7 insertions(+), 3 deletions(-)
> -
> -diff --git a/poppler/Outline.cc b/poppler/Outline.cc
> -index cbb6cb49..4c68be99 100644
> ---- a/poppler/Outline.cc
> -+++ b/poppler/Outline.cc
> -@@ -14,7 +14,7 @@
> - // under GPL version 2 or later
> - //
> - // Copyright (C) 2005 Marco Pesenti Gritti <mpg at redhat.com>
> --// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid <aacid at kde.org>
> -+// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid <aacid at kde.org>
> - // Copyright (C) 2009 Nick Jones <nick.jones at network-box.com>
> - // Copyright (C) 2016 Jason Crain <jason at aquaticape.us>
> - // Copyright (C) 2017 Adrian Johnson <ajohnson at redneon.com>
> -@@ -483,8 +483,12 @@ void OutlineItem::open()
> - {
> -     if (!kids) {
> -         Object itemDict = xref->fetch(ref);
> --        const Object &firstRef = itemDict.dictLookupNF("First");
> --        kids = readItemList(this, &firstRef, xref, doc);
> -+        if (itemDict.isDict()) {
> -+            const Object &firstRef = itemDict.dictLookupNF("First");
> -+            kids = readItemList(this, &firstRef, xref, doc);
> -+        } else {
> -+            kids = new std::vector<OutlineItem *>();
> -+        }
> -     }
> - }
> - 
> --- 
> -2.41.0
> -
> diff --git a/package/poppler/poppler.hash b/package/poppler/poppler.hash
> index bb07b2ee6a..34f8bcd58f 100644
> --- a/package/poppler/poppler.hash
> +++ b/package/poppler/poppler.hash
> @@ -1,3 +1,3 @@
> -# Locally calculated
> -sha256  d9aa9cacdfbd0f8e98fc2b3bb008e645597ed480685757c3e7bc74b4278d15c0  poppler-22.12.0.tar.xz
> +# Locally calculated after verifying GPG signature
> +sha256  6b5e9bb64dabb15787a14db1675291c7afaf9387438cc93a4fb7f6aec4ee6fe0  poppler-25.10.0.tar.xz
>  sha256  ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6  COPYING
> diff --git a/package/poppler/poppler.mk b/package/poppler/poppler.mk
> index 776fb4d566..08214d38b4 100644
> --- a/package/poppler/poppler.mk
> +++ b/package/poppler/poppler.mk
> @@ -4,15 +4,13 @@
>  #
>  ################################################################################
>  
> -POPPLER_VERSION = 22.12.0
> +POPPLER_VERSION = 25.10.0
>  POPPLER_SOURCE = poppler-$(POPPLER_VERSION).tar.xz
>  POPPLER_SITE = https://poppler.freedesktop.org
>  POPPLER_DEPENDENCIES = fontconfig host-pkgconf
>  POPPLER_LICENSE = GPL-2.0+
>  POPPLER_LICENSE_FILES = COPYING
>  POPPLER_CPE_ID_VENDOR = freedesktop
> -# 0001-OutlineItem-open-Fix-crash-on-malformed-files.patch
> -POPPLER_IGNORE_CVES += CVE-2023-34872
>  POPPLER_INSTALL_STAGING = YES
>  
>  POPPLER_CONF_OPTS = \
> @@ -24,6 +22,7 @@ POPPLER_CONF_OPTS = \
>  	-DBUILD_MANUAL_TESTS=OFF \
>  	-DENABLE_GTK_DOC=OFF \
>  	-DENABLE_QT6=OFF \
> +	-DENABLE_GPGME=OFF \
>  	-DRUN_GPERF_IF_PRESENT=OFF
>  
>  ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
> @@ -98,9 +97,9 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_ZLIB),y)
>  POPPLER_DEPENDENCIES += zlib
> -POPPLER_CONF_OPTS += -DENABLE_ZLIB=ON
> +POPPLER_CONF_OPTS += -DENABLE_ZLIB_UNCOMPRESS=ON
>  else
> -POPPLER_CONF_OPTS += -DENABLE_ZLIB=OFF
> +POPPLER_CONF_OPTS += -DENABLE_ZLIB_UNCOMPRESS=OFF
>  endif
>  
>  ifeq ($(BR2_PACKAGE_CAIRO),y)
> @@ -112,9 +111,9 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_TIFF),y)
>  POPPLER_DEPENDENCIES += tiff
> -POPPLER_CONF_OPTS += -DWITH_TIFF=ON
> +POPPLER_CONF_OPTS += -DENABLE_LIBTIFF=ON
>  else
> -POPPLER_CONF_OPTS += -DWITH_TIFF=OFF
> +POPPLER_CONF_OPTS += -DENABLE_LIBTIFF=OFF
>  endif
>  
>  ifeq ($(BR2_PACKAGE_LIBGLIB2),y)
> @@ -126,9 +125,16 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_LIBNSS),y)
>  POPPLER_DEPENDENCIES += libnss
> -POPPLER_CONF_OPTS += -DWITH_NSS3=ON
> +POPPLER_CONF_OPTS += -DENABLE_NSS3=ON
>  else
> -POPPLER_CONF_OPTS += -DWITH_NSS3=OFF
> +POPPLER_CONF_OPTS += -DENABLE_NSS3=OFF
> +endif
> +
> +ifeq ($(BR2_PACKAGE_LCMS2),y)
> +POPPLER_DEPENDENCIES += lcms2
> +POPPLER_CONF_OPTS += -DENABLE_LCMS=ON
> +else
> +POPPLER_CONF_OPTS += -DENABLE_LCMS=OFF
>  endif
>  
>  ifeq ($(BR2_SOFT_FLOAT),y)
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

More information about the buildroot mailing list