CVE-2022-37050: 
NixOS vulnerability analysis and mitigation

CVE-2022-37050 affects Poppler 22.07.0, specifically in the PDFDoc::savePageAs function within PDFDoc.c. The vulnerability was discovered in 2022 and allows attackers to cause a denial-of-service condition through application crashes (SIGABRT) by crafting malicious PDF files that mishandle the xref data structure during getCatalog processing. This vulnerability is notably a result of an incomplete patch for a previous vulnerability (CVE-2018-20662) (NVD).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue specifically occurs in the PDFDoc::savePageAs function when processing the xref data structure during catalog operations. The vulnerability manifests as a crash with SIGABRT at poppler/Object.h:435 when attempting to process specially crafted PDF files (NVD, Gitlab Issue).

When exploited, this vulnerability results in a denial-of-service condition through application crashes. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system. The CVSS scoring indicates high availability impact but no impact on confidentiality or integrity (NVD).

The vulnerability has been patched in various distributions and versions. Ubuntu has released fixes for multiple versions including 22.04 LTS (22.02.0-2ubuntu0.3), 20.04 LTS (0.86.1-0ubuntu1.4), and 18.04 LTS. Debian has addressed this in version 0.71.0-5+deb10u3 for Debian 10 buster. The fix involves checking XRef's Catalog for being a Dict (Ubuntu Notice, Debian LTS).