Bug 34668 - poppler new security issue CVE-2025-52885
Summary: poppler new security issue CVE-2025-52885
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-10-15 10:44 CEST by Nicolas Salguero
Modified: 2025-10-29 05:29 CET (History)
4 users (show)

See Also:
Source RPM: poppler-23.02.0-1.7.mga9.src.rpm
CVE: CVE-2025-52885
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-10-15 10:44:58 CEST 
CVE-2025-52885 was announced here:
https://www.openwall.com/lists/oss-security/2025/10/13/2
Nicolas Salguero 2025-10-15 10:46:11 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => poppler-25.07.0-1.mga10.src.rpm, poppler-23.02.0-1.7.mga9.src.rpm
Status comment: (none) => Patch available from upstream and fixed upstream in 25.10.0
CVE: (none) => CVE-2025-52885

Comment 1 Marja Van Waes 2025-10-16 22:17:06 CEST 
No registered maintainer, assigning to all.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2025-10-28 11:12:40 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use After Free (UAF) in Poppler. (CVE-2025-52885)

References:
https://www.openwall.com/lists/oss-security/2025/10/13/2
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler-cpp-devel-23.02.0-1.8.mga9
lib(64)poppler-cpp0-23.02.0-1.8.mga9
lib(64)poppler-devel-23.02.0-1.8.mga9
lib(64)poppler-gir0.18-23.02.0-1.8.mga9
lib(64)poppler-glib-devel-23.02.0-1.8.mga9
lib(64)poppler-glib8-23.02.0-1.8.mga9
lib(64)poppler-qt5-devel-23.02.0-1.8.mga9
lib(64)poppler-qt5_1-23.02.0-1.8.mga9
lib(64)poppler-qt6-devel-23.02.0-1.8.mga9
lib(64)poppler-qt6_3-23.02.0-1.8.mga9
lib(64)poppler126-23.02.0-1.8.mga9
poppler-23.02.0-1.8.mga9

from SRPM:
poppler-23.02.0-1.8.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Patch available from upstream and fixed upstream in 25.10.0 => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: poppler-25.07.0-1.mga10.src.rpm, poppler-23.02.0-1.7.mga9.src.rpm => poppler-23.02.0-1.7.mga9.src.rpm
Whiteboard: MGA9TOO => (none)

Comment 3 Herman Viaene 2025-10-28 15:04:09 CET 
MGA9-64 server Plasma wayland on Compaq H000SB
No installation issues.
Tests from bug 32242:
$ pdftohtml handleidingVM.pdf testpoppler.html
Page-1
Page-2
Page-3
Page-4
Page-5
Page-6
Page-7
Page-8
Page-9
 link to page 6 Page-10
Page-11
Page-12
$ pdftotext handleidingVM.pdf VM.txt
Opens correctly with a page index as a lefthand column of links and the text and graphics to the right.
$ pdfimages handleidingVM.pdf handvm
$ ls handvm*
handvm-000.ppm  handvm-001.ppm  handvm-002.ppm  handvm-003.ppm  handvm-004.ppm  handvm-005.ppm  handvm-006.ppm  handvm-007.ppm
[tester9@mach3 volkstuintjes]$ ls ha*.ppm | wc -l
8
$ pdfseparate -f 3 -l 10 handleidingVM.pdf page_%d
[tester9@mach3 volkstuintjes]$ okular page_*
pages show up OK.

And following katnatek:
$ strace -o popl.txt okular handleidingVM.pdf 
shows
statx(AT_FDCWD, "/usr/lib64/qt5/plugins/okular/generators/okularGenerator_poppler.so",
So I take the freedom to give the OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

katnatek 2025-10-28 19:36:36 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2025-10-29 02:48:52 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-10-29 05:29:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0251.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.