Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
CVE fix.
[ Impact ]
Users still vulernable to security issue.
[ Tests ]
Upstream has an extensive test suite, although we don't include a test
specifically for this issue. All tests pass on bookworm locally.
[ Risks ]
Risk is negligible. Code is trivial. Fix has been available for 8
months upstream. The same code is in pypdf and there have been no
issues reported with it (stable update for it is pending as well).
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add a patch to apply the upstream fix for the issue.
[ Other info ]
This looks like an NMU in bookworm, but I just adopted the package. I
did not include the maintainer changes in the stble-update since that
seemed to get beyone a minimal fix.
Scott K
diff -Nru pypdf2-2.12.1/debian/changelog pypdf2-2.12.1/debian/changelog
--- pypdf2-2.12.1/debian/changelog 2023-01-13 16:38:55.000000000 -0500
+++ pypdf2-2.12.1/debian/changelog 2024-01-19 17:32:34.000000000 -0500
@@ -1,3 +1,12 @@
+pypdf2 (2.12.1-3+deb12u1) bookworm; urgency=medium
+
+ * Prevent infinite loop when no character follows after a comment (Closes:
+ #1040339)
+ - Addresses CVE-2023-36464
+ - Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
+
+ -- Scott Kitterman <sc...@kitterman.com> Fri, 19 Jan 2024 17:32:34 -0500
+
pypdf2 (2.12.1-3) unstable; urgency=medium
* disable two more network tests
diff -Nru
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
---
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
1969-12-31 19:00:00.000000000 -0500
+++
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
2024-01-19 17:30:16.000000000 -0500
@@ -0,0 +1,21 @@
+From: Scott Kitterman <sc...@kitterman.com>
+Date: Mon, 15 Jan 2024 11:34:11 -0500
+Subject: Prevent infinite loop when no character follows after a comment
+https://security-tracker.debian.org/tracker/CVE-2023-36464
+---
+ PyPDF2/generic/_data_structures.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: pypdf/PyPDF2/generic/_data_structures.py
+===================================================================
+--- pypdf.orig/PyPDF2/generic/_data_structures.py
++++ pypdf/PyPDF2/generic/_data_structures.py
+@@ -733,7 +733,7 @@ class ContentStream(DecodedStreamObject)
+ # encountering a comment -- but read_object assumes that
+ # following the comment must be the object we're trying to
+ # read. In this case, it could be an operator instead.
+- while peek not in (b"\r", b"\n"):
++ while peek not in (b"\r", b"\n", b""):
+ peek = stream.read(1)
+ else:
+ operands.append(read_object(stream, None,
self.forced_encoding))
diff -Nru pypdf2-2.12.1/debian/patches/series
pypdf2-2.12.1/debian/patches/series
--- pypdf2-2.12.1/debian/patches/series 2023-01-13 16:38:30.000000000 -0500
+++ pypdf2-2.12.1/debian/patches/series 2024-01-19 17:30:16.000000000 -0500
@@ -1 +1,2 @@
disable-network-tests.patch
+0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
