Properly verify adbe.pkcs7.sha1 signatures.

For signatures with non-empty encapsulated content
(typically adbe.pkcs7.sha1), we only compared hash values and
never actually checked SignatureValue within SignerInfo.
The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
made trivial signature forgeries possible. Fix this by calling
NSS_CMSSignerInfo_Verify() after the hash values compare equal.

Origin: upstream 25.04.0

Gbp-Pq: Name CVE-2025-43903.patch

[PATCH] Move isOk check to inside JBIG2Bitmap::combine

Origin: upstream 25.04

Gbp-Pq: Name CVE-2025-32365.patch

[PATCH] PSStack::roll: Protect against doing int = -INT_MIN

Origin: upstream 25.04

Gbp-Pq: Name CVE-2025-32364.patch

poppler (25.03.0-4) unstable; urgency=high

  * Team upload
  * SECURITY UPDATE: Properly verify abde.pkcs7.sha1 signatures
    - Cherry-pick upstream fix for the
      NSSSignatureVerification::validateSignature function
      in NSSCryptoSignBackend.cc
    - CVE-2025-43903 (Closes: #1103545)

[dgit import unpatched poppler 25.03.0-4]

Import poppler_25.03.0-4.debian.tar.xz

[dgit import tarball poppler 25.03.0-4 poppler_25.03.0-4.debian.tar.xz]

Import poppler_25.03.0.orig.tar.xz

[dgit import orig poppler_25.03.0.orig.tar.xz]