Bug#1009879: pypdf2: CVE-2022-24859: Manipulated inline images can cause Infinite Loop

2023-06-08 Thread Markus Koschany 
Hi Andreas,

Am Donnerstag, dem 08.06.2023 um 18:05 +0200 schrieb Andreas Beckmann:
> Hi Markus,
> 
> you took care of fixing this bug in stretch-lts. Can you look into 
> fixing this in buster-lts, too? Right now buster(-lts) has a lower 
> version than stretch-lts.

Thanks! I'll take care of that soon.

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1009879: pypdf2: CVE-2022-24859: Manipulated inline images can cause Infinite Loop

2023-06-08 Thread Andreas Beckmann 

Hi Markus,

you took care of fixing this bug in stretch-lts. Can you look into 
fixing this in buster-lts, too? Right now buster(-lts) has a lower 
version than stretch-lts.


 pypdf2 | 1.26.0-2  | stretch  | source
 pypdf2 | 1.26.0-2  | buster   | source
 pypdf2 | 1.26.0-2+deb9u1   | stretch-security | source
 pypdf2 | 1.26.0-4  | bullseye | source

(for bullseye there is pu request #1029008)


Andreas

Bug#1009879: pypdf2: CVE-2022-24859: Manipulated inline images can cause Infinite Loop

2022-04-19 Thread Salvatore Bonaccorso 
Source: pypdf2
Version: 1.26.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/py-pdf/PyPDF2/issues/329
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for pypdf2.

CVE-2022-24859[0]:
| PyPDF2 is an open source python PDF library capable of splitting,
| merging, cropping, and transforming the pages of PDF files. In
| versions prior to 1.27.5 an attacker who uses this vulnerability can
| craft a PDF which leads to an infinite loop if the PyPDF2 if the code
| attempts to get the content stream. The reason is that the last while-
| loop in `ContentStream._readInlineImage` only terminates when it finds
| the `EI` token, but never actually checks if the stream has already
| ended. This issue has been resolved in version `1.27.5`. Users unable
| to upgrade should validate and PDFs prior to iterating over their
| content stream.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859
[1] https://github.com/py-pdf/PyPDF2/issues/329
[2] https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore