Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Control: close -1 Hi, On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > Hi, > > On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso > > wrote: > > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > > whether the version in bullseye is still vulnerable, as it appears to be > > > > according to the security tracker: > > [...] > > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > > the max impact is an infinite loop in the user's own process. > > > > > Can you propose a fix for it with cherry-picking the pull request > > > changes for the next bullseye point release? > > Correct, it needs to go via Bullseye point update. I attached the > > short change which has the original commit as Salvatore noted. > > Either of the proposed diffs is fine; please go ahead. This package has not been uploaded in time for two consecutive point releases now, so I am closing the request. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote: > On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso > > wrote: > > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > > whether the version in bullseye is still vulnerable, as it appears to be > > > > according to the security tracker: > > [...] > > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > > the max impact is an infinite loop in the user's own process. > > > > > Can you propose a fix for it with cherry-picking the pull request > > > changes for the next bullseye point release? > > Correct, it needs to go via Bullseye point update. I attached the > > short change which has the original commit as Salvatore noted. > > Either of the proposed diffs is fine; please go ahead. This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Control: tag -1 confirmed Hi, On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso > wrote: > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > whether the version in bullseye is still vulnerable, as it appears to be > > > according to the security tracker: > [...] > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > the max impact is an infinite loop in the user's own process. > > > Can you propose a fix for it with cherry-picking the pull request > > changes for the next bullseye point release? > Correct, it needs to go via Bullseye point update. I attached the > short change which has the original commit as Salvatore noted. Either of the proposed diffs is fine; please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Control: clone 1009879 -1 Control: reassign -1 release.debian.org Control: tag -1 + bullseye Control: user release.debian@packages.debian.org Control: usertag -1 pu Control: affects -1 src:pypdf2 Control: retitle -1 bullseye-pu: package pypdf2/1.26.0-4+deb11u1 On Mon 2023-01-16 07:41:21 +0100, László Böszörményi (GCS) wrote: > Correct, it needs to go via Bullseye point update. I attached the > short change which has the original commit as Salvatore noted. Thanks for the confirmation, László. Sounds good to me. It Looks like i failed to attach the debdiff to my initial e-mail, but I had intended to offer the same substantive changeset that you identified. I'm cloning this bug report to ask for confirmation from the stable release managers, with a refreshed debdiff. I've also pushed the changes into salsa on the debian/pypdf2/bullseye branch. Release maintainers: if you can confirm this, i'll go ahead with the upload so that this is fixed in the next point release of bullseye. Regards, --dkg diff -Nru pypdf2-1.26.0/debian/changelog pypdf2-1.26.0/debian/changelog --- pypdf2-1.26.0/debian/changelog 2020-01-19 03:08:58.0 -0500 +++ pypdf2-1.26.0/debian/changelog 2023-01-15 16:22:04.0 -0500 @@ -1,3 +1,15 @@ +pypdf2 (1.26.0-4+deb11u1) bullseye; urgency=high + + * Add myself to uploaders + * Point to Salsa for packaging revision control. + * Fix CVE-2022-24859: +Sebastian Krause discovered that manipulated inline images can force +PyPDF2, a pure Python PDF library, into an infinite loop, if a maliciously +crafted PDF file is processed. (Thanks, Markus Koschany ) +Closes: #1009879 + + -- Daniel Kahn Gillmor Sun, 15 Jan 2023 16:22:04 -0500 + pypdf2 (1.26.0-4) unstable; urgency=medium * Remove Python 2 from build dependencies (closes: #937505). diff -Nru pypdf2-1.26.0/debian/control pypdf2-1.26.0/debian/control --- pypdf2-1.26.0/debian/control 2020-01-19 03:08:58.0 -0500 +++ pypdf2-1.26.0/debian/control 2023-01-15 16:22:04.0 -0500 @@ -1,8 +1,11 @@ Source: pypdf2 Maintainer: Laszlo Boszormenyi (GCS) +Uploaders: Daniel Kahn Gillmor Section: python Priority: optional Build-Depends: debhelper-compat (= 12), dh-python, python3-all +Vcs-Git: https://salsa.debian.org/debian/pypdf.git -b debian/pypdf2/bullseye +Vcs-Browser: https://salsa.debian.org/debian/pypdf Standards-Version: 4.4.1 Homepage: https://pythonhosted.org/PyPDF2/ diff -Nru pypdf2-1.26.0/debian/gbp.conf pypdf2-1.26.0/debian/gbp.conf --- pypdf2-1.26.0/debian/gbp.conf 1969-12-31 19:00:00.0 -0500 +++ pypdf2-1.26.0/debian/gbp.conf 2023-01-15 16:22:04.0 -0500 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian/pypdf2/bullseye +pristine-tar = True diff -Nru pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch --- pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 1969-12-31 19:00:00.0 -0500 +++ pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 2023-01-15 16:22:04.0 -0500 @@ -0,0 +1,65 @@ +From: Sebastian Krause +Date: Fri, 15 Apr 2022 13:55:29 +0200 +Subject: [PATCH] SEC/PERF: ContentStream_readInlineImage (#740) + +Bug-Debian: https://bugs.debian.org/1009879 +Origin: https://github.com/py-pdf/PyPDF2/pull/740 +Closes #329 - potential infinite loop (SEC) +Closes #330 - performance issue of ContentStream._readInlineImage (PERF) +--- + PyPDF2/pdf.py | 32 ++-- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/PyPDF2/pdf.py b/PyPDF2/pdf.py +index 9979414..b55dfba 100644 +--- a/PyPDF2/pdf.py b/PyPDF2/pdf.py +@@ -2723,11 +2723,25 @@ class ContentStream(DecodedStreamObject): + # left at beginning of ID + tmp = stream.read(3) + assert tmp[:2] == b_("ID") +-data = b_("") ++data = BytesIO() ++# Read the inline image, while checking for EI (End Image) operator. + while True: +-# Read the inline image, while checking for EI (End Image) operator. +-tok = stream.read(1) +-if tok == b_("E"): ++# Read 8 kB at a time and check if the chunk contains the E operator. ++buf = stream.read(8192) ++# We have reached the end of the stream, but haven't found the EI operator. ++if not buf: ++raise utils.PdfReadError("Unexpected end of stream") ++loc = buf.find(b_("E")) ++ ++if loc == -1: ++data.write(buf) ++else: ++# Write out everything before the E. ++data.write(buf[0:loc]) ++ ++# Seek back in the stream to read the E next. ++stream.seek(loc - len(buf), 1) ++tok = stream.read(1) + # Check for End Image + tok2 = stream.read(1) + if tok2 == b_("I"): +@@ -2744,14 +2758,12 @@ class ContentStream(DecodedStreamObject): +
Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Hi Daniel, On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso wrote: > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > whether the version in bullseye is still vulnerable, as it appears to be > > according to the security tracker: [...] > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as the max impact is an infinite loop in the user's own process. > Can you propose a fix for it with cherry-picking the pull request > changes for the next bullseye point release? Correct, it needs to go via Bullseye point update. I attached the short change which has the original commit as Salvatore noted. Sorry for the noise, Laszlo/GCS diff -Nru pypdf2-1.26.0/debian/changelog pypdf2-1.26.0/debian/changelog --- pypdf2-1.26.0/debian/changelog 2020-01-19 09:08:58.0 +0100 +++ pypdf2-1.26.0/debian/changelog 2023-01-16 07:22:11.0 +0100 @@ -1,3 +1,10 @@ +pypdf2 (1.26.0-4+deb11u1) bullseye; urgency=high + + * Backport fix for CVE-2022-24859: manipulated inline images can cause +infinite loop (closes: #1009879). + + -- Laszlo Boszormenyi (GCS) Mon, 16 Jan 2023 07:22:11 +0100 + pypdf2 (1.26.0-4) unstable; urgency=medium * Remove Python 2 from build dependencies (closes: #937505). diff -Nru pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch --- pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 1970-01-01 01:00:00.0 +0100 +++ pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 2023-01-16 00:10:42.0 +0100 @@ -0,0 +1,64 @@ +From d71fb3e6249a07682e8ebc456e26499923ff9031 Mon Sep 17 00:00:00 2001 +From: Sebastian Krause +Date: Fri, 15 Apr 2022 13:55:29 +0200 +Subject: [PATCH] SEC/PERF: ContentStream_readInlineImage (#740) + +Closes #329 - potential infinite loop (SEC) +Closes #330 - performance issue of ContentStream._readInlineImage (PERF) +--- + PyPDF2/pdf.py | 32 ++-- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/PyPDF2/pdf.py b/PyPDF2/pdf.py +index 5bd4b7968..6d1824384 100644 +--- a/PyPDF2/pdf.py b/PyPDF2/pdf.py +@@ -2723,11 +2723,25 @@ def _readInlineImage(self, stream): + # left at beginning of ID + tmp = stream.read(3) + assert tmp[:2] == b_("ID") +-data = b_("") ++data = BytesIO() ++# Read the inline image, while checking for EI (End Image) operator. + while True: +-# Read the inline image, while checking for EI (End Image) operator. +-tok = stream.read(1) +-if tok == b_("E"): ++# Read 8 kB at a time and check if the chunk contains the E operator. ++buf = stream.read(8192) ++# We have reached the end of the stream, but haven't found the EI operator. ++if not buf: ++raise utils.PdfReadError("Unexpected end of stream") ++loc = buf.find(b_("E")) ++ ++if loc == -1: ++data.write(buf) ++else: ++# Write out everything before the E. ++data.write(buf[0:loc]) ++ ++# Seek back in the stream to read the E next. ++stream.seek(loc - len(buf), 1) ++tok = stream.read(1) + # Check for End Image + tok2 = stream.read(1) + if tok2 == b_("I"): +@@ -2744,14 +2758,12 @@ def _readInlineImage(self, stream): + stream.seek(-1, 1) + break + else: +-stream.seek(-1,1) +-data += info ++stream.seek(-1, 1) ++data.write(info) + else: + stream.seek(-1, 1) +-data += tok +-else: +-data += tok +-return {"settings": settings, "data": data} ++data.write(tok) ++return {"settings": settings, "data": data.getvalue()} + + def _getData(self): + newdata = BytesIO() diff -Nru pypdf2-1.26.0/debian/patches/series pypdf2-1.26.0/debian/patches/series --- pypdf2-1.26.0/debian/patches/series 2016-09-05 19:14:14.0 +0200 +++ pypdf2-1.26.0/debian/patches/series 2023-01-16 00:13:06.0 +0100 @@ -1 +1,2 @@ Prevent_infinite_loop_in_readObject.patch +CVE-2022-24859.patch
Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Hi Daniel, On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > Hi László and debian security team-- > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > whether the version in bullseye is still vulnerable, as it appears to be > according to the security tracker: > >https://security-tracker.debian.org/tracker/CVE-2022-24859 > > It's not clear to me whether > debian/patches/Prevent_infinite_loop_in_readObject.patch is intended to > fix the same bug or not (it's certainly similar-sounding, but it is in > an entirely different part of the codebase than i think is relevant). > If it's not the same, maybe we need the patch that is currently applied > to debian LTS. > > If the latter is needed, the attached debdiff should solve the problem > in bullseye. I've also pushed a branch "debian/pypdf2/bullseye" in > https://salsa.debian.org/debian/pypdf with the same information, in line > with the collaborative workspace that László and i set up for handling > PyPDF2 and its transition to pypdf. > > Please let me know whether this is something that should be uploaded. > > If it's not needed, then presumably we should update the security > tracker to acknowledge that the version in bullseye is already fixed. The fix for CVE-2022-24859 can be found via https://github.com/py-pdf/PyPDF2/issues/329 https://github.com/py-pdf/PyPDF2/pull/740 https://github.com/py-pdf/pypdf/security/advisories/GHSA-xcjx-m2pj-8g79 It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. Can you propose a fix for it with cherry-picking the pull request changes for the next bullseye point release? Regards, Salvatore
Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Hi László and debian security team-- I was looking into CVE-2022-24859 and pypdf2, and trying to figure out whether the version in bullseye is still vulnerable, as it appears to be according to the security tracker: https://security-tracker.debian.org/tracker/CVE-2022-24859 It's not clear to me whether debian/patches/Prevent_infinite_loop_in_readObject.patch is intended to fix the same bug or not (it's certainly similar-sounding, but it is in an entirely different part of the codebase than i think is relevant). If it's not the same, maybe we need the patch that is currently applied to debian LTS. If the latter is needed, the attached debdiff should solve the problem in bullseye. I've also pushed a branch "debian/pypdf2/bullseye" in https://salsa.debian.org/debian/pypdf with the same information, in line with the collaborative workspace that László and i set up for handling PyPDF2 and its transition to pypdf. Please let me know whether this is something that should be uploaded. If it's not needed, then presumably we should update the security tracker to acknowledge that the version in bullseye is already fixed. --dkg signature.asc Description: PGP signature