Bug 34238 - poppler new security issue CVE-2025-43903
Summary: poppler new security issue CVE-2025-43903
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-05-02 09:04 CEST by Nicolas Salguero
Modified: 2025-05-05 06:58 CEST (History)
3 users (show)

See Also:
Source RPM: poppler-23.02.0-1.5.mga9.src.rpm
CVE: CVE-2025-43903
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-02 09:04:08 CEST 
Ubuntu has issued an advisory on April 29:
https://ubuntu.com/security/notices/USN-7471-1

Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669 (poppler-25.04.0)
Might cause regression: https://bugzilla.suse.com/show_bug.cgi?id=1241620#c3
Nicolas Salguero 2025-05-02 09:04:48 CEST

CVE: (none) => CVE-2025-43903
Status comment: (none) => Patch available from upstream and Ubuntu
Source RPM: (none) => poppler-23.02.0-1.5.mga9.src.rpm
Version: Cauldron => 9

Comment 1 Nicolas Salguero 2025-05-02 10:05:11 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. (CVE-2025-43903)

References:
https://ubuntu.com/security/notices/USN-7471-1
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler-cpp-devel-23.02.0-1.6.mga9
lib(64)poppler-cpp0-23.02.0-1.6.mga9
lib(64)poppler-devel-23.02.0-1.6.mga9
lib(64)poppler-gir0.18-23.02.0-1.6.mga9
lib(64)poppler-glib-devel-23.02.0-1.6.mga9
lib(64)poppler-glib8-23.02.0-1.6.mga9
lib(64)poppler-qt5-devel-23.02.0-1.6.mga9
lib(64)poppler-qt5_1-23.02.0-1.6.mga9
lib(64)poppler-qt6-devel-23.02.0-1.6.mga9
lib(64)poppler-qt6_3-23.02.0-1.6.mga9
lib(64)poppler126-23.02.0-1.6.mga9
poppler-23.02.0-1.6.mga9

from SRPM:
poppler-23.02.0-1.6.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Patch available from upstream and Ubuntu => (none)
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2025-05-02 16:39:00 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 34182, repeated those tests.
$ pdftohtml handleidingVM.pdf testpoppler.html
Page-1
Page-2
Page-3
Page-4
Page-5
Page-6
Page-7
Page-8
Page-9
 link to page 6 Page-10
Page-11
Page-12

$ firefox testpoppler.html
Opens correctly with a page index as a lefthand column of links and the text and graphics to the right.

$ pdftotext handleidingVM.pdf VM.txt
Opened with mousepad and text is complete with indicators where graphical items occured in the original document. These indicators are not shown in kate or kwrite.

$ pdfimages handleidingVM.pdf handvm
$ ls handv*
handvm-000.ppm  handvm-001.ppm  handvm-002.ppm  handvm-003.ppm  handvm-004.ppm  handvm-005.ppm  handvm-006.ppm  handvm-007.ppm
Images show OK in gwenview.
$ ls ha*.ppm | wc -l
8

$  pdfseparate -f 3 -l 10 handleidingVM.pdf page_%d
$ ls page*
page_10  page_3  page_4  page_5  page_6  page_7  page_8  page_9


[tester9@mach3 testpoppler]$ okular page_*
pages show up OK.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

katnatek 2025-05-02 19:55:17 CEST

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2025-05-04 01:33:09 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2025-05-05 06:58:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0143.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.