#1110606 cairo: CVE-2025-50422

Package:
src:cairo
Source:
src:cairo
Submitter:
Salvatore Bonaccorso
Date:
2026-04-09 06:43:06 UTC
Severity:
normal
Tags:
#1110606#5
Date:
2025-08-09 09:47:40 UTC
From:
To:
Hi,

The following vulnerability was published for cairo.

CVE-2025-50422[0]:
| An issue was discovered in freedesktop poppler v25.04.0. The heap
| memory containing PDF stream objects is not cleared upon program
| exit, allowing attackers to obtain sensitive PDF content via a
| memory dump.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-50422
https://www.cve.org/CVERecord?id=CVE-2025-50422
[1] https://github.com/Landw-hub/CVE-2025-50422
[2] https://gitlab.freedesktop.org/poppler/poppler/-/issues/1591
[3] https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/621

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1110606#10
Date:
2025-08-09 12:02:18 UTC
From:
To:
Control: tags -1 + moreinfo
have originally claimed that the existence of possibly-sensitive data in
a core dump is a security vulnerability, which ... no. Core dumps
contain whatever was in RAM, that's just how they work, and if that's
considered to be a security vulnerability in a particular scenario then
that scenario should disable core dumps.

It seems like the better description might be something like: a crafted
input file fed to poppler's pdftoppm can cause an assertion failure,
leading to denial of service (?) and possibly a worse impact (?).

The original reporter claims on their Github page [1] that "The vendor
(freedesktop, maintainer of Poppler) has acknowledged the issue and
fixed the bug. The fix has been committed in their official repository."
but I see no evidence of that, only two unreviewed and unmerged
merge-requests in one of poppler's dependencies [3] [4].

I think we should be cautious about applying unreviewed changes for
unclear reasons. If someone (perhaps the CNA that created this CVE ID)
has a better description of what security problem is being addressed,
then they should publish it.

I also can't help noticing that
https://www.cve.org/CVERecord?id=CVE-2025-50422 links to
"freedesktop.com" and "poppler.com" neither of which appears to be
freedesktop.org or poppler, which seems like it indicates a lack of
research and critical thinking.

[4] https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/623

#1110606#17
Date:
2025-08-09 12:45:28 UTC
From:
To:
Hi Simon,

I'm impressed about your speed and diligence in treating bugreports,
kudos and you have my full repsect :)

I do agree, the bugreport just contains fetching the (current) MITRE
CVE description to include it in the bugreport.

Ok. FWIW, I asked mitre that they can re-evaluate the CVE entry and
maybe associate it rather with cairo, as the merge request is targeted
there.

Fully agreed. The Debian bugreport is not meant to expedit fixes
applying in Debian but rather have a mapping in bugreports downstream
to upstream so we can follow their status. I fully support *not* to
apply any fixes before they are clearly vetted/acked and ideally
merged upstream.

Yes that's very odd.

Regards,
Salvatore