I think this is the patch URL (from the header URL):
https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe

Assigning globally because poppler has no listed maintainer; but CC'ing wally who has done most of its updates.

Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa
URL: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=2227884

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open. (CVE-2023-34872)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34872
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQ3NYJ43U2MA7COKGMJDARZUAAOP45D4/
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler-cpp-devel-23.02.0-1.1.mga9
lib(64)poppler-cpp0-23.02.0-1.1.mga9
lib(64)poppler-devel-23.02.0-1.1.mga9
lib(64)poppler-gir0.18-23.02.0-1.1.mga9
lib(64)poppler-glib-devel-23.02.0-1.1.mga9
lib(64)poppler-glib8-23.02.0-1.1.mga9
lib(64)poppler-qt5-devel-23.02.0-1.1.mga9
lib(64)poppler-qt5_1-23.02.0-1.1.mga9
lib(64)poppler-qt6-devel-23.02.0-1.1.mga9
lib(64)poppler-qt6_3-23.02.0-1.1.mga9
lib(64)poppler126-23.02.0-1.1.mga9
poppler-23.02.0-1.1.mga9

from SRPM:
poppler-23.02.0-1.1.mga9.src.rpm

Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Mageia9, x86_64
Made sure that all the 23.02.0-1 packages were installed (dragging in a lot of dependencies).
Ran a cursory test to see that some of the packages work:
$ pdftohtml PythonCookbook_2.pdf python.html
$ less python.html:
<!DOCTYPE html>
<html>
<head>
<title>Python Cookbook</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="generator" content="pdftohtml 0.36"/>
<meta name="author" content="Alex Martelli"/>
<meta name="keywords" content="www.it-ebooks.info"/>
<meta name="date" content="2013-05-17T13:02:03+00:00"/>
<meta name="subject" content="IT eBooks"/>
</head>
<frameset cols="100,*">
....
$ firefox python.html
<That showed the contents in the browser>
Pasted this into the qarepo panel:
lib64poppler-cpp-devel-23.02.0-1.1.mga9
lib64poppler-cpp0-23.02.0-1.1.mga9
lib64poppler-devel-23.02.0-1.1.mga9
lib64poppler-gir0.18-23.02.0-1.1.mga9
lib64poppler-glib-devel-23.02.0-1.1.mga9
lib64poppler-glib8-23.02.0-1.1.mga9
lib64poppler-qt5-devel-23.02.0-1.1.mga9
lib64poppler-qt5_1-23.02.0-1.1.mga9
lib64poppler-qt6-devel-23.02.0-1.1.mga9
lib64poppler-qt6_3-23.02.0-1.1.mga9
lib64poppler126-23.02.0-1.1.mga9
poppler-23.02.0-1.1.mga9

and hit update, then:
$ MageiaUpdate
All done.
Successfully repeated the pdftohtml test on another e-book.
$ pdftohtml RustProgrammingLanguage.pdf rust.html
and displayed the pages in Firefox.
$ pdfimages AN_2023_September.pdf AN
$ ls AN-*
[...]
AN-2076.ppm             AN-4058.ppm  AN-603.ppm   AN-8021.ppm
$ ls AN-*.ppm | wc -l
10893

Used eom to display images at random.  All looked fine but most of them were trivial.
Separated out several pages from another book:
$ pdfseparate -f 3 -l 10 TheGoProgrammingLanguage.pdf page_%d
$ ls page_*
page_10  page_3  page_4  page_5  page_6  page_7  page_8  page_9
$ file page_4
page_4: PDF document, version 1.6, 1 pages
$ okular page_*
showed the pages correctly.
$ pdftops page_4 page4.ps
$ gs page4.ps
showed the title page.
$ pdftoppm page_5 page
generates page-1.ppm, which display OK in eom.
$ pdftocairo -jpeg page_7 page7
generates page7-1.jpg.
$ pdftocairo -tiff page_8 page8
$ display page8-1.tif
Fine.

Installed djvulibre and exercised pdf2djvu.
$ strace -o djvu.trace pdf2djvu -o test.djv module_cheat_sheet.pdf
module_cheat_sheet.pdf:
- page #1 -> #1
0.021 bits/pixel; 6.081:1, 83.55% saved, 136259 bytes in, 22408 bytes out
$ grep poppler djvu.trace
openat(AT_FDCWD, "/lib64/libpoppler.so.126", O_RDONLY|O_CLOEXEC) = 3

OK for Mageia9, 64-bit.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Rider to comment #4:
Apologies for not researching the PoC.
Before update test can no longer be done but afterwards the application behaves itself with the malformed file.

CVE-2023-34872
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399

This is said to affect pdftohtml.
After the update:
$ pdftohtml crash crash.html
Page-1
Page-2
Page-3
Syntax Error (6095): Illegal character ')'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
....

The output document looks like valid HTML and does display correctly in a browser.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

mga9-64 Clean update and works.

I could not figure out where to get that "crash" test file from.

CC: (none) => fri

Sorry.  I quoted the CVE number and posted one of the links you find when you follow the CVE link.  Very often there is useful information to be found when the link contains the string 'issue'.

Following that link showed a further link to the crash file.  Just right-click on it and download.  There were no instructions about how to handle the file so 'pdftohtml' was a bit of a guess.

Not so much of a guess when the page is entitled "Crash in pdftohtml".

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0348.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Shall have a look at this after supper and a check for PoC.