diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog --- poppler-25.03.0/debian/changelog 2025-04-19 00:16:32.000000000 +0200 +++ poppler-25.03.0/debian/changelog 2025-07-28 10:55:12.000000000 +0200 @@ -1,3 +1,13 @@ +poppler (25.03.0-5) unstable; urgency=high + + [ Marc Deslauriers ] + * SECURITY UPDATE: DoS via reference count overflow + - debian/patches/CVE-2025-52886.patch: limit amount of annots per + document/page in poppler/Annot.cc, poppler/Page.cc. + - CVE-2025-52886 (Closes: #1108784) + + -- Jeremy BĂ­cha Mon, 28 Jul 2025 10:55:12 +0200 + poppler (25.03.0-4) unstable; urgency=high * Team upload diff -Nru poppler-25.03.0/debian/patches/CVE-2025-52886.patch poppler-25.03.0/debian/patches/CVE-2025-52886.patch --- poppler-25.03.0/debian/patches/CVE-2025-52886.patch 1970-01-01 01:00:00.000000000 +0100 +++ poppler-25.03.0/debian/patches/CVE-2025-52886.patch 2025-07-28 10:55:12.000000000 +0200 @@ -0,0 +1,50 @@ +Backport of: + +From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001 +From: Sune Vuorela +Date: Tue, 3 Jun 2025 00:35:19 +0200 +Subject: [PATCH] Limit ammount of annots per document/page + +--- + poppler/Annot.cc | 4 ++++ + poppler/Page.cc | 16 ++++++++++++++++ + 2 files changed, 20 insertions(+) + +--- a/poppler/Annot.cc ++++ b/poppler/Annot.cc +@@ -7479,6 +7479,10 @@ Annots::Annots(PDFDoc *docA, int page, O + const Object &obj2 = annotsObj->arrayGetNF(i); + annot = createAnnot(std::move(obj1), &obj2); + if (annot) { ++ if (annot->refCnt > 100000) { ++ error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page); ++ break; ++ } + if (annot->isOk()) { + annot->setPage(page, false); // Don't change /P + appendAnnot(annot); +--- a/poppler/Page.cc ++++ b/poppler/Page.cc +@@ -297,6 +297,22 @@ Page::Page(PDFDoc *docA, int numA, Objec + goto err2; + } + ++ if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) { ++ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength()); ++ goto err2; ++ } ++ if (annotsObj.isRef()) { ++ auto resolvedObj = getAnnotsObject(); ++ if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) { ++ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength()); ++ goto err2; ++ } ++ if (!resolvedObj.isArray() && !resolvedObj.isNull()) { ++ error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName()); ++ goto err2; ++ } ++ } ++ + // contents + contents = pageObj.dictLookupNF("Contents").copy(); + if (!(contents.isRef() || contents.isArray() || contents.isNull())) { diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series --- poppler-25.03.0/debian/patches/series 2025-04-19 00:16:32.000000000 +0200 +++ poppler-25.03.0/debian/patches/series 2025-07-28 10:55:12.000000000 +0200 @@ -1,3 +1,4 @@ CVE-2025-32364.patch CVE-2025-32365.patch CVE-2025-43903.patch +CVE-2025-52886.patch