Hi, The following vulnerability was published for cairo. CVE-2025-50422[0]: | An issue was discovered in freedesktop poppler v25.04.0. The heap | memory containing PDF stream objects is not cleared upon program | exit, allowing attackers to obtain sensitive PDF content via a | memory dump. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-50422 https://www.cve.org/CVERecord?id=CVE-2025-50422 [1] https://github.com/Landw-hub/CVE-2025-50422 [2] https://gitlab.freedesktop.org/poppler/poppler/-/issues/1591 [3] https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/621 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Control: tags -1 + moreinfo have originally claimed that the existence of possibly-sensitive data in a core dump is a security vulnerability, which ... no. Core dumps contain whatever was in RAM, that's just how they work, and if that's considered to be a security vulnerability in a particular scenario then that scenario should disable core dumps. It seems like the better description might be something like: a crafted input file fed to poppler's pdftoppm can cause an assertion failure, leading to denial of service (?) and possibly a worse impact (?). The original reporter claims on their Github page [1] that "The vendor (freedesktop, maintainer of Poppler) has acknowledged the issue and fixed the bug. The fix has been committed in their official repository." but I see no evidence of that, only two unreviewed and unmerged merge-requests in one of poppler's dependencies [3] [4]. I think we should be cautious about applying unreviewed changes for unclear reasons. If someone (perhaps the CNA that created this CVE ID) has a better description of what security problem is being addressed, then they should publish it. I also can't help noticing that https://www.cve.org/CVERecord?id=CVE-2025-50422 links to "freedesktop.com" and "poppler.com" neither of which appears to be freedesktop.org or poppler, which seems like it indicates a lack of research and critical thinking. [4] https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/623
Hi Simon, I'm impressed about your speed and diligence in treating bugreports, kudos and you have my full repsect :) I do agree, the bugreport just contains fetching the (current) MITRE CVE description to include it in the bugreport. Ok. FWIW, I asked mitre that they can re-evaluate the CVE entry and maybe associate it rather with cairo, as the merge request is targeted there. Fully agreed. The Debian bugreport is not meant to expedit fixes applying in Debian but rather have a mapping in bugreports downstream to upstream so we can follow their status. I fully support *not* to apply any fixes before they are clearly vetted/acked and ideally merged upstream. Yes that's very odd. Regards, Salvatore