Fluid Attacks Database

Description

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 14	poppler	=25.03.0-10 \|\| =25.03.0-11 \|\| =25.03.0-11.1 \|\| =25.03.0-5 \|\| =25.03.0-6 \|\| =25.03.0-7 \|\| =25.03.0-9 \|\| =26.01.0-1 \|\| =26.01.0-2
debian 11	poppler	=20.09.0-3.1 \|\| =20.09.0-3.1+deb11u1 \|\| =20.09.0-3.1+deb11u2 \|\| =21.02.0-1 \|\| =21.06.0-1 \|\| =21.06.1-1 \|\| =21.11.0-1 \|\| =22.02.0-1 \|\| =22.02.0-2 \|\| =22.02.0-3 \|\| =22.06.0-1 \|\| =22.08.0-1 \|\| =22.08.0-2 \|\| =22.08.0-2.1 \|\| =22.11.0-1 \|\| =22.12.0-1 \|\| =22.12.0-2 \|\| =22.12.0-2.1 \|\| =22.12.0-2.2 \|\| =23.08.0-1 \|\| =23.08.0-2 \|\| =23.12.0-1 \|\| =24.02.0-1 \|\| =24.02.0-2 \|\| =24.02.0-3 \|\| =24.02.0-4 \|\| =24.02.0-5 \|\| =24.02.0-5+loong64 \|\| =24.06.0-1 \|\| =24.06.0-2 \|\| =24.08.0-1 \|\| =24.08.0-2 \|\| =24.08.0-3 \|\| =24.08.0-4 \|\| =25.01.0-1 \|\| =25.01.0-2 \|\| =25.01.0-3 \|\| =25.01.0-4 \|\| =25.01.0-5 \|\| =25.03.0-1 \|\| =25.03.0-10 \|\| =25.03.0-11 \|\| =25.03.0-11.1 \|\| =25.03.0-2 \|\| =25.03.0-3 \|\| =25.03.0-4 \|\| =25.03.0-5 \|\| =25.03.0-6 \|\| =25.03.0-7 \|\| =25.03.0-9 \|\| =26.01.0-1 \|\| =26.01.0-2
debian 12	poppler	=22.12.0-2 \|\| =22.12.0-2+deb12u1 \|\| =22.12.0-2.1 \|\| =22.12.0-2.2 \|\| =23.08.0-1 \|\| =23.08.0-2 \|\| =23.12.0-1 \|\| =24.02.0-1 \|\| =24.02.0-2 \|\| =24.02.0-3 \|\| =24.02.0-4 \|\| =24.02.0-5 \|\| =24.02.0-5+loong64 \|\| =24.06.0-1 \|\| =24.06.0-2 \|\| =24.08.0-1 \|\| =24.08.0-2 \|\| =24.08.0-3 \|\| =24.08.0-4 \|\| =25.01.0-1 \|\| =25.01.0-2 \|\| =25.01.0-3 \|\| =25.01.0-4 \|\| =25.01.0-5 \|\| =25.03.0-1 \|\| =25.03.0-10 \|\| =25.03.0-11 \|\| =25.03.0-11.1 \|\| =25.03.0-2 \|\| =25.03.0-3 \|\| =25.03.0-4 \|\| =25.03.0-5 \|\| =25.03.0-6 \|\| =25.03.0-7 \|\| =25.03.0-9 \|\| =26.01.0-1 \|\| =26.01.0-2
debian 13	poppler	=25.03.0-10 \|\| =25.03.0-11 \|\| =25.03.0-11.1 \|\| =25.03.0-5 \|\| =25.03.0-5+deb13u2 \|\| =25.03.0-6 \|\| =25.03.0-7 \|\| =25.03.0-9 \|\| =26.01.0-1 \|\| =26.01.0-2
rpm rhel5	poppler	-
rpm rhel6	poppler	-
rpm rhel8	poppler	-
rpm rhel7	poppler	-

Aliases

1. CVE-2019-95432. NVD-2019-95433. OSV-DEBIAN-2019-95434. OSV-2019-95435. SECURITY-TRACKER-CVE-2019-9543

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.