Source: pypdf2 Version: 1.26.0-4 Severity: important Tags: security upstream Forwarded: https://github.com/py-pdf/PyPDF2/issues/329 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for pypdf2. CVE-2022-24859[0]: | PyPDF2 is an open source python PDF library capable of splitting, | merging, cropping, and transforming the pages of PDF files. In | versions prior to 1.27.5 an attacker who uses this vulnerability can | craft a PDF which leads to an infinite loop if the PyPDF2 if the code | attempts to get the content stream. The reason is that the last while- | loop in `ContentStream._readInlineImage` only terminates when it finds | the `EI` token, but never actually checks if the stream has already | ended. This issue has been resolved in version `1.27.5`. Users unable | to upgrade should validate and PDFs prior to iterating over their | content stream. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859 [1] https://github.com/py-pdf/PyPDF2/issues/329 [2] https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
