Your message dated Sat, 30 Apr 2022 07:33:54 +0000
with message-id <[email protected]>
and subject line Bug#1009879: fixed in pypdf2 1.27.9-1
has caused the Debian Bug report #1009879,
regarding pypdf2: CVE-2022-24859: Manipulated inline images can cause Infinite
Loop
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1009879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009879
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pypdf2
Version: 1.26.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/py-pdf/PyPDF2/issues/329
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pypdf2.
CVE-2022-24859[0]:
| PyPDF2 is an open source python PDF library capable of splitting,
| merging, cropping, and transforming the pages of PDF files. In
| versions prior to 1.27.5 an attacker who uses this vulnerability can
| craft a PDF which leads to an infinite loop if the PyPDF2 if the code
| attempts to get the content stream. The reason is that the last while-
| loop in `ContentStream._readInlineImage` only terminates when it finds
| the `EI` token, but never actually checks if the stream has already
| ended. This issue has been resolved in version `1.27.5`. Users unable
| to upgrade should validate and PDFs prior to iterating over their
| content stream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859
[1] https://github.com/py-pdf/PyPDF2/issues/329
[2] https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pypdf2
Source-Version: 1.27.9-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pypdf2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated pypdf2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Apr 2022 08:06:55 +0200
Source: pypdf2
Architecture: source
Version: 1.27.9-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1009879
Changes:
pypdf2 (1.27.9-1) unstable; urgency=high
.
* New upstream release:
- fixes CVE-2022-24859: manipulated inline images can cause infinite loop
(closes: #1009879).
* Update homepage location.
* Update watch file.
* Update debhelper level to 13 .
* Update Standards-Version to 4.6.0.1 .
Checksums-Sha1:
f3c3670eae26fe0d56315ab470a61638bb95f0dc 1902 pypdf2_1.27.9-1.dsc
20c046c69e5d6e7f305045fb7a8e794938524539 2124754 pypdf2_1.27.9.orig.tar.gz
e26939508544cd6e54d7ac9e627ca618f88957b6 3324 pypdf2_1.27.9-1.debian.tar.xz
Checksums-Sha256:
53dc0d2b73478339d501a9c52fde864eb5465243c01570384184e70a26b485de 1902
pypdf2_1.27.9-1.dsc
a3d8c9ee327c79697074c7a7c2b02dc3a54bc31054512f1c7fc26e2926a35cd1 2124754
pypdf2_1.27.9.orig.tar.gz
5c7babca4ca0933acaa157fceca4905fa1d2983da010d125c05e49f27f79a563 3324
pypdf2_1.27.9-1.debian.tar.xz
Files:
852a51f6134c29f9e5f06b5e09402471 1902 python optional pypdf2_1.27.9-1.dsc
a781cf50574b9af736a0bf99ad627614 2124754 python optional
pypdf2_1.27.9.orig.tar.gz
5c89d715829dbbf2f4d3f5bcdc17737b 3324 python optional
pypdf2_1.27.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmJs4oUACgkQ3OMQ54ZM
yL9B5hAAtX8Z9HQ3VmRU8zt5kkh4j7SH6Ww15gwEHWMTGZ04TWLosSWCbXX7S16W
NYuiG0Dvww8P3dkgXlMy4WzeHJC2XL9qg+8Dkq+7KJ0IqyO3Dox+lNvVX2aTqLB8
ybJEjxgCWGJTwEyunuHpAI+tleCG8YlxNCpr/h7WR0XyjUWtXewZ/t8uXDeRnk4b
OwBLx7qD4FnA/yIdvqxpSlle/rt0duRF2JOYMsS13npYiy+pckPxFjHoMs0El7x2
szBp0dg8onUuUCtoJ8q/KFWvV77v/mjyc5hWhUSl55cemM5aYFKAu45I2s2YoUjn
fbCklGN4pTdpXCd/AeOV7Z00ddva/ZEudJgt1ZhwOOYplYi1wchMqBlmWYDB8dwb
00hbN+njlaEEge6ejSWqO3Va57OgiwUm8Z0RpCIUYfrArG6JpKmCbdeiCBMzQg5o
HyT35QpgqHJxvoVan+5bteUKDh776F67Uni8mT8VhLizA5/iyc4xTBplZ2UFLT2n
iEnkQ2xKgg5vEq63M9bxMbYb2xLXdQmJE7/CCqa4Wg51AwO3Haxx5XjzAxEWP7qn
K4sF2RLxF0kmmdZlDEbZWzbwbMDmXZWIrGEw91qvHHBRrzWlzGA/gOvYiA63yQWM
IiiXHJbJTEnoahUpHkQtkeJCImdWMlGh0p9OeS1S3cmgnQKp42Y=
=gazw
-----END PGP SIGNATURE-----
--- End Message ---
