An update for poppler is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1561 Final 1.0 1.0 2023-09-02 Initial 2023-09-02 2023-09-02 openEuler SA Tool V1.0 2023-09-02 poppler security update An update for poppler is now available for openEuler-20.03-LTS-SP1 and openEuler-22.03-LTS-SP1. poppler is a PDF rendering library. Security Fix(es): Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.(CVE-2020-23804) In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.(CVE-2022-37050) An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.(CVE-2022-37051) A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.(CVE-2022-37052) An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.(CVE-2022-38349) An update for poppler is now available for openEuler-20.03-LTS-SP1 and openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High poppler https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1561 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-23804 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-37050 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-37051 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-37052 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38349 https://nvd.nist.gov/vuln/detail/CVE-2020-23804 https://nvd.nist.gov/vuln/detail/CVE-2022-37050 https://nvd.nist.gov/vuln/detail/CVE-2022-37051 https://nvd.nist.gov/vuln/detail/CVE-2022-37052 https://nvd.nist.gov/vuln/detail/CVE-2022-38349 openEuler-20.03-LTS-SP1 openEuler-22.03-LTS-SP1 poppler-cpp-devel-0.90.0-4.oe1.aarch64.rpm poppler-qt5-devel-0.90.0-4.oe1.aarch64.rpm poppler-qt5-0.90.0-4.oe1.aarch64.rpm poppler-glib-devel-0.90.0-4.oe1.aarch64.rpm poppler-devel-0.90.0-4.oe1.aarch64.rpm poppler-0.90.0-4.oe1.aarch64.rpm poppler-glib-0.90.0-4.oe1.aarch64.rpm poppler-debugsource-0.90.0-4.oe1.aarch64.rpm poppler-utils-0.90.0-4.oe1.aarch64.rpm poppler-cpp-0.90.0-4.oe1.aarch64.rpm poppler-debuginfo-0.90.0-4.oe1.aarch64.rpm poppler-0.90.0-6.oe2203sp1.aarch64.rpm poppler-debuginfo-0.90.0-6.oe2203sp1.aarch64.rpm poppler-debugsource-0.90.0-6.oe2203sp1.aarch64.rpm poppler-devel-0.90.0-6.oe2203sp1.aarch64.rpm poppler-cpp-0.90.0-6.oe2203sp1.aarch64.rpm poppler-glib-devel-0.90.0-6.oe2203sp1.aarch64.rpm poppler-utils-0.90.0-6.oe2203sp1.aarch64.rpm poppler-qt5-0.90.0-6.oe2203sp1.aarch64.rpm poppler-glib-0.90.0-6.oe2203sp1.aarch64.rpm poppler-cpp-devel-0.90.0-6.oe2203sp1.aarch64.rpm poppler-qt5-devel-0.90.0-6.oe2203sp1.aarch64.rpm poppler-help-0.90.0-4.oe1.noarch.rpm poppler-glib-doc-0.90.0-4.oe1.noarch.rpm poppler-glib-doc-0.90.0-6.oe2203sp1.noarch.rpm poppler-help-0.90.0-6.oe2203sp1.noarch.rpm poppler-0.90.0-4.oe1.src.rpm poppler-0.90.0-6.oe2203sp1.src.rpm poppler-cpp-devel-0.90.0-4.oe1.x86_64.rpm poppler-qt5-devel-0.90.0-4.oe1.x86_64.rpm poppler-debugsource-0.90.0-4.oe1.x86_64.rpm poppler-0.90.0-4.oe1.x86_64.rpm poppler-utils-0.90.0-4.oe1.x86_64.rpm poppler-devel-0.90.0-4.oe1.x86_64.rpm poppler-debuginfo-0.90.0-4.oe1.x86_64.rpm poppler-glib-0.90.0-4.oe1.x86_64.rpm poppler-cpp-0.90.0-4.oe1.x86_64.rpm poppler-glib-devel-0.90.0-4.oe1.x86_64.rpm poppler-qt5-0.90.0-4.oe1.x86_64.rpm poppler-debuginfo-0.90.0-6.oe2203sp1.x86_64.rpm poppler-qt5-devel-0.90.0-6.oe2203sp1.x86_64.rpm poppler-glib-devel-0.90.0-6.oe2203sp1.x86_64.rpm poppler-qt5-0.90.0-6.oe2203sp1.x86_64.rpm poppler-cpp-0.90.0-6.oe2203sp1.x86_64.rpm poppler-devel-0.90.0-6.oe2203sp1.x86_64.rpm poppler-glib-0.90.0-6.oe2203sp1.x86_64.rpm poppler-debugsource-0.90.0-6.oe2203sp1.x86_64.rpm poppler-utils-0.90.0-6.oe2203sp1.x86_64.rpm poppler-0.90.0-6.oe2203sp1.x86_64.rpm poppler-cpp-devel-0.90.0-6.oe2203sp1.x86_64.rpm Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input. 2023-09-02 CVE-2020-23804 openEuler-20.03-LTS-SP1 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H poppler security update 2023-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1561 In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662. 2023-09-02 CVE-2022-37050 openEuler-20.03-LTS-SP1 openEuler-22.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H poppler security update 2023-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1561 An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file. 2023-09-02 CVE-2022-37051 openEuler-20.03-LTS-SP1 openEuler-22.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H poppler security update 2023-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1561 A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject. 2023-09-02 CVE-2022-37052 openEuler-20.03-LTS-SP1 openEuler-22.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H poppler security update 2023-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1561 An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file. 2023-09-02 CVE-2022-38349 openEuler-20.03-LTS-SP1 openEuler-22.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H poppler security update 2023-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1561