CVE-2024-56378: 
NixOS vulnerability analysis and mitigation

CVE-2024-56378 is a vulnerability discovered in Poppler through version 24.12.0, specifically affecting the JBIG2Bitmap::combine function in JBIG2Stream.cc. The vulnerability was disclosed on December 22, 2024, and affects the libpoppler.so library, which is a core component of the Poppler PDF rendering library (NVD, Debian Tracker).

The vulnerability is classified as an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function. The issue has been assigned a CVSS 3.1 Base Score of 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is tracked under CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability allows an attacker to crash the application or potentially obtain sensitive information through a specially crafted PDF file. The issue can be specifically triggered through the pdfimages utility, which is part of the Poppler suite (Red Hat Portal, Ubuntu Notice).

The vulnerability has been fixed in newer versions of Poppler. Various Linux distributions have released security updates to address this issue. Ubuntu has released updates across multiple versions: Ubuntu 24.10 (libpoppler140 - 24.08.0-1ubuntu0.1), Ubuntu 24.04 (libpoppler134 - 24.02.0-1ubuntu9.2), Ubuntu 22.04 (libpoppler118 - 22.02.0-2ubuntu0.6), and Ubuntu 20.04 (libpoppler97 - 0.86.1-0ubuntu1.5) (Ubuntu Notice).