Version in base suite: 25.03.0-5+deb13u2

Base version: poppler_25.03.0-5+deb13u2
Target version: poppler_25.03.0-5+deb13u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/poppler/poppler_25.03.0-5+deb13u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/poppler/poppler_25.03.0-5+deb13u3.dsc

 changelog                                                          |   11 ++
 patches/Check-for-duplicate-entries.patch                          |   29 +++++++
 patches/Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch |   29 +++++++
 patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch |   41 ++++++++++
 patches/series                                                     |    3 
 5 files changed, 113 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp89yiza8u/poppler_25.03.0-5+deb13u2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp89yiza8u/poppler_25.03.0-5+deb13u3.dsc: no acceptable signature found
diff -Nru poppler-25.03.0/debian/changelog poppler-25.03.0/debian/changelog
--- poppler-25.03.0/debian/changelog	2025-08-31 18:01:36.000000000 +0000
+++ poppler-25.03.0/debian/changelog	2026-06-06 09:07:43.000000000 +0000
@@ -1,3 +1,14 @@
+poppler (25.03.0-5+deb13u3) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * SplashOutputDev: Fix integer overflow in tilingPatternFill (CVE-2026-10118)
+    (Closes: #1138708)
+  * Make sure regex doesn't stack overflow by limiting it (CVE-2025-43718)
+    (Closes: #1117046)
+  * Check for duplicate entries (CVE-2025-52885) (Closes: #1117853)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 06 Jun 2026 11:07:43 +0200
+
 poppler (25.03.0-5+deb13u2) trixie; urgency=high
 
   [ Leonidas Da Silva Barbosa ]
diff -Nru poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch
--- poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch	1970-01-01 00:00:00.000000000 +0000
+++ poppler-25.03.0/debian/patches/Check-for-duplicate-entries.patch	2026-06-06 09:06:09.000000000 +0000
@@ -0,0 +1,29 @@
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 3 Sep 2025 14:36:54 +0100
+Subject: Check for duplicate entries
+Origin: https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0
+Bug-Debian: https://bugs.debian.org/1117853
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-52885
+
+---
+ poppler/StructTreeRoot.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/poppler/StructTreeRoot.cc b/poppler/StructTreeRoot.cc
+index eb46147bd1cd..fc7bf4ceb05a 100644
+--- a/poppler/StructTreeRoot.cc
++++ b/poppler/StructTreeRoot.cc
+@@ -136,6 +136,10 @@ void StructTreeRoot::parseNumberTreeNode(const Dict &node)
+                 }
+                 int keyVal = key.getInt();
+                 std::vector<Parent> &vec = parentTree[keyVal];
++                if (!vec.empty()) {
++                    error(errSyntaxError, -1, "Nums item at position {0:d} is a duplicate entry for key {1:d}", i, keyVal);
++                    continue;
++                }
+ 
+                 Object valueArray = nums.arrayGet(i + 1);
+                 if (valueArray.isArray()) {
+-- 
+2.53.0
+
diff -Nru poppler-25.03.0/debian/patches/Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch poppler-25.03.0/debian/patches/Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch
--- poppler-25.03.0/debian/patches/Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch	1970-01-01 00:00:00.000000000 +0000
+++ poppler-25.03.0/debian/patches/Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch	2026-06-06 09:04:22.000000000 +0000
@@ -0,0 +1,29 @@
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 26 Mar 2025 11:26:32 +0100
+Subject: Make sure regex doesn't stack overflow by limiting it
+Origin: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408
+Bug-Debian: https://bugs.debian.org/1117046
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-43718
+
+Happens with very long pdfsubver strings when compiled with
+-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -flto=auto
+---
+ poppler/PDFDoc.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
+index f0dae9be7f56..118c4692d49b 100644
+--- a/poppler/PDFDoc.cc
++++ b/poppler/PDFDoc.cc
+@@ -479,7 +479,7 @@ static PDFSubtypePart pdfPartFromString(PDFSubtype subtype, const std::string &p
+ 
+ static PDFSubtypeConformance pdfConformanceFromString(const std::string &pdfsubver)
+ {
+-    const std::regex regex("PDF/(?:A|X|VT|E|UA)-[[:digit:]]([[:alpha:]]+)");
++    const std::regex regex("PDF/(?:A|X|VT|E|UA)-[[:digit:]]([[:alpha:]]{1,3})");
+     std::smatch match;
+ 
+     // match contains the PDF conformance (A, B, G, N, P, PG or U)
+-- 
+2.53.0
+
diff -Nru poppler-25.03.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch poppler-25.03.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch
--- poppler-25.03.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch	1970-01-01 00:00:00.000000000 +0000
+++ poppler-25.03.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch	2026-06-04 21:23:14.000000000 +0000
@@ -0,0 +1,41 @@
+From: Marek Kasik <mkasik@redhat.com>
+Date: Thu, 21 May 2026 17:51:51 +0200
+Subject: SplashOutputDev: Fix integer overflow in tilingPatternFill
+Origin: https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a
+Bug-Debian: https://bugs.debian.org/1138708
+Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-10118
+
+Use checkedMultiply() to check integer multiplication of surface size
+and number of repetitions to avoid integer overflow and possible memory issues.
+
+Fixes: #1715
+---
+ poppler/SplashOutputDev.cc | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
+index ff3ad0eff015..f055486c36f4 100644
+--- a/poppler/SplashOutputDev.cc
++++ b/poppler/SplashOutputDev.cc
+@@ -4327,7 +4328,7 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
+     matc[2] = ctm[2];
+     matc[3] = ctm[3];
+ 
+-    if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4) {
++    if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4 || checkedMultiply(surface_width, repeatX, &result_width) || checkedMultiply(surface_height, repeatY, &result_height)) {
+         state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);
+         return false;
+     }
+@@ -4349,8 +4350,6 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
+         kx = matc[0];
+         ky = matc[3] - (matc[1] * matc[2]) / matc[0];
+     }
+-    result_width = surface_width * repeatX;
+-    result_height = surface_height * repeatY;
+     kx = result_width / (fabs(kx) + 1);
+     ky = result_height / (fabs(ky) + 1);
+     state->concatCTM(kx, 0, 0, ky, 0, 0);
+-- 
+2.53.0
+
diff -Nru poppler-25.03.0/debian/patches/series poppler-25.03.0/debian/patches/series
--- poppler-25.03.0/debian/patches/series	2025-08-31 18:01:36.000000000 +0000
+++ poppler-25.03.0/debian/patches/series	2026-06-06 09:06:52.000000000 +0000
@@ -3,3 +3,6 @@
 CVE-2025-43903.patch
 CVE-2025-52886.patch
 CVE-2025-50420.patch
+SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch
+Make-sure-regex-doesn-t-stack-overflow-by-limiting-i.patch
+Check-for-duplicate-entries.patch