Your message dated Sat, 10 Feb 2024 13:11:21 +0000
with message-id <e1ryn8b-002ybl...@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1060851,
regarding bookworm-pu: package pypdf/3.4.1-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1060851: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060851
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
This upload adds a patch to address CVE-2023-36464. It was assessed by
the security team as no-dsa, so I think we ought to fix it in a stable
update.
[ Impact ]
Users remain vulnerable to the DoS attack described in the CVE.
[ Tests ]
There is a pypdf test suite that runs during package build and
autopkgtest. Upstream did add a test for this issue, but since it
requires test assets not available in Debian, I did not include it in
the patch.
[ Risks ]
Code is trivial and the risk of regression is negligible. This is the
exact fix upstream used. The fix has been in the wild for 8 months, so
I think if it was going to cause a problem, we'd know by now.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added the upstream change to fix the CVE (only the change to
pypdf/generic/_data_structures.py is relevant):
https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932
Updated gbp.conf to point at the bookworm branch
[ Other info ]
This will look like an NMU in tools that look at stable. I just adopted
the package due to the original maintainer's RFA and have uploaded to
unstable (including this fix). I elected not to change the maintainer
in this upload since that didn't fit with a minimal change in stable.
Scott K
diff -Nru pypdf-3.4.1/debian/changelog pypdf-3.4.1/debian/changelog
--- pypdf-3.4.1/debian/changelog 2023-02-14 16:58:00.000000000 -0500
+++ pypdf-3.4.1/debian/changelog 2024-01-15 11:28:43.000000000 -0500
@@ -1,3 +1,13 @@
+pypdf (3.4.1-1+deb12u1) bookworm; urgency=medium
+
+ * Update debian/gbp.conf to point at bookworm branch
+ * Prevent infinite loop when no character follows after a comment (Closes:
+ #1040338)
+ - Addresses CVE-2023-36464
+ - Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
+
+ -- Scott Kitterman <sc...@kitterman.com> Mon, 15 Jan 2024 11:28:43 -0500
+
pypdf (3.4.1-1) unstable; urgency=medium
* New upstream version 3.4.1
diff -Nru pypdf-3.4.1/debian/gbp.conf pypdf-3.4.1/debian/gbp.conf
--- pypdf-3.4.1/debian/gbp.conf 2023-02-14 16:58:00.000000000 -0500
+++ pypdf-3.4.1/debian/gbp.conf 2024-01-15 11:28:20.000000000 -0500
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
pristine-tar = True
diff -Nru
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
---
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
1969-12-31 19:00:00.000000000 -0500
+++
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
2024-01-15 11:28:43.000000000 -0500
@@ -0,0 +1,21 @@
+From: Scott Kitterman <sc...@kitterman.com>
+Date: Mon, 15 Jan 2024 11:34:11 -0500
+Subject: Prevent infinite loop when no character follows after a comment
+https://security-tracker.debian.org/tracker/CVE-2023-36464
+---
+ pypdf/generic/_data_structures.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pypdf/generic/_data_structures.py
b/pypdf/generic/_data_structures.py
+index bb2e028..524d4e0 100644
+--- a/pypdf/generic/_data_structures.py
++++ b/pypdf/generic/_data_structures.py
+@@ -979,7 +979,7 @@ class ContentStream(DecodedStreamObject):
+ # encountering a comment -- but read_object assumes that
+ # following the comment must be the object we're trying to
+ # read. In this case, it could be an operator instead.
+- while peek not in (b"\r", b"\n"):
++ while peek not in (b"\r", b"\n", b""):
+ peek = stream.read(1)
+ else:
+ operands.append(read_object(stream, None,
self.forced_encoding))
diff -Nru pypdf-3.4.1/debian/patches/series pypdf-3.4.1/debian/patches/series
--- pypdf-3.4.1/debian/patches/series 2023-02-14 16:58:00.000000000 -0500
+++ pypdf-3.4.1/debian/patches/series 2024-01-15 11:28:43.000000000 -0500
@@ -1,2 +1,3 @@
0001-Use-formal-Cryptodome-namespace.patch
0002-mark-new-external-tests-appropriately.patch
+0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
--- End Message ---
--- Begin Message ---
Version: 12.5
The upload requested in this bug has been released as part of 12.5.
--- End Message ---
