Source: pypdf Version: 3.4.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 Control: reassign -2 src:pypdf2 2.12.1-3 Control: retitle -2 pypdf2: CVE-2023-36464
Hi, The following vulnerability was published for pypdf. CVE-2023-36464[0]: | pypdf is an open source, pure-python PDF library. In affected | versions an attacker may craft a PDF which leads to an infinite loop | if `__parse_content_stream` is executed. That is, for example, the | case if the user extracted text from such a PDF. This issue was | introduced in pull request #969 and resolved in pull request #1828. | Users are advised to upgrade. Users unable to upgrade may modify the | line `while peek not in (b"\r", b"\n")` in | `pypdf/generic/_data_structures.py` to `while peek not in (b"\r", | b"\n", b"")`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-36464 https://www.cve.org/CVERecord?id=CVE-2023-36464 [1] https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8 [2] https://github.com/py-pdf/pypdf/pull/1828 [3] https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932 Regards, Salvatore