Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Control: close -1 Hi, On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > Hi, > > On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso > > wrote: > > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > > whether the version in bullseye is still vulnerable, as it appears to be > > > > according to the security tracker: > > [...] > > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > > the max impact is an infinite loop in the user's own process. > > > > > Can you propose a fix for it with cherry-picking the pull request > > > changes for the next bullseye point release? > > Correct, it needs to go via Bullseye point update. I attached the > > short change which has the original commit as Salvatore noted. > > Either of the proposed diffs is fine; please go ahead. This package has not been uploaded in time for two consecutive point releases now, so I am closing the request. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote: > On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso > > wrote: > > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > > whether the version in bullseye is still vulnerable, as it appears to be > > > > according to the security tracker: > > [...] > > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > > the max impact is an infinite loop in the user's own process. > > > > > Can you propose a fix for it with cherry-picking the pull request > > > changes for the next bullseye point release? > > Correct, it needs to go via Bullseye point update. I attached the > > short change which has the original commit as Salvatore noted. > > Either of the proposed diffs is fine; please go ahead. This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
Control: tag -1 confirmed Hi, On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso > wrote: > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > whether the version in bullseye is still vulnerable, as it appears to be > > > according to the security tracker: > [...] > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > the max impact is an infinite loop in the user's own process. > > > Can you propose a fix for it with cherry-picking the pull request > > changes for the next bullseye point release? > Correct, it needs to go via Bullseye point update. I attached the > short change which has the original commit as Salvatore noted. Either of the proposed diffs is fine; please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
