Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1009879: pypdf2: CVE-2022-24859: Manipulated inline images can cause Infinite Loop
29 views
Skip to first unread message
Salvatore Bonaccorso
Apr 19, 2022, 3:20:04 PM4/19/22
to
Source: pypdf2
Version: 1.26.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/py-pdf/PyPDF2/issues/329
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for pypdf2.
CVE-2022-24859[0]:
| PyPDF2 is an open source python PDF library capable of splitting,
| merging, cropping, and transforming the pages of PDF files. In
| versions prior to 1.27.5 an attacker who uses this vulnerability can
| craft a PDF which leads to an infinite loop if the PyPDF2 if the code
| attempts to get the content stream. The reason is that the last while-
| loop in `ContentStream._readInlineImage` only terminates when it finds
| the `EI` token, but never actually checks if the stream has already
| ended. This issue has been resolved in version `1.27.5`. Users unable
| to upgrade should validate and PDFs prior to iterating over their
| content stream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859
[1] https://github.com/py-pdf/PyPDF2/issues/329
[2] https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 1.26.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/py-pdf/PyPDF2/issues/329
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for pypdf2.
CVE-2022-24859[0]:
| PyPDF2 is an open source python PDF library capable of splitting,
| merging, cropping, and transforming the pages of PDF files. In
| versions prior to 1.27.5 an attacker who uses this vulnerability can
| craft a PDF which leads to an infinite loop if the PyPDF2 if the code
| attempts to get the content stream. The reason is that the last while-
| loop in `ContentStream._readInlineImage` only terminates when it finds
| the `EI` token, but never actually checks if the stream has already
| ended. This issue has been resolved in version `1.27.5`. Users unable
| to upgrade should validate and PDFs prior to iterating over their
| content stream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859
[1] https://github.com/py-pdf/PyPDF2/issues/329
[2] https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Daniel Kahn Gillmor
Jan 15, 2023, 5:10:04 PM1/15/23
to
Hi László and debian security team--
I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
whether the version in bullseye is still vulnerable, as it appears to be
according to the security tracker:
https://security-tracker.debian.org/tracker/CVE-2022-24859
It's not clear to me whether
debian/patches/Prevent_infinite_loop_in_readObject.patch is intended to
fix the same bug or not (it's certainly similar-sounding, but it is in
an entirely different part of the codebase than i think is relevant).
If it's not the same, maybe we need the patch that is currently applied
to debian LTS.
If the latter is needed, the attached debdiff should solve the problem
in bullseye. I've also pushed a branch "debian/pypdf2/bullseye" in
https://salsa.debian.org/debian/pypdf with the same information, in line
with the collaborative workspace that László and i set up for handling
PyPDF2 and its transition to pypdf.
Please let me know whether this is something that should be uploaded.
If it's not needed, then presumably we should update the security
tracker to acknowledge that the version in bullseye is already fixed.
--dkg
I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
whether the version in bullseye is still vulnerable, as it appears to be
according to the security tracker:
https://security-tracker.debian.org/tracker/CVE-2022-24859
It's not clear to me whether
debian/patches/Prevent_infinite_loop_in_readObject.patch is intended to
fix the same bug or not (it's certainly similar-sounding, but it is in
an entirely different part of the codebase than i think is relevant).
If it's not the same, maybe we need the patch that is currently applied
to debian LTS.
If the latter is needed, the attached debdiff should solve the problem
in bullseye. I've also pushed a branch "debian/pypdf2/bullseye" in
https://salsa.debian.org/debian/pypdf with the same information, in line
with the collaborative workspace that László and i set up for handling
PyPDF2 and its transition to pypdf.
Please let me know whether this is something that should be uploaded.
If it's not needed, then presumably we should update the security
tracker to acknowledge that the version in bullseye is already fixed.
--dkg
Salvatore Bonaccorso
Jan 16, 2023, 12:50:04 AM1/16/23
to
Hi Daniel,
The fix for CVE-2022-24859 can be found via
https://github.com/py-pdf/PyPDF2/issues/329
https://github.com/py-pdf/PyPDF2/pull/740
https://github.com/py-pdf/pypdf/security/advisories/GHSA-xcjx-m2pj-8g79
It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
Can you propose a fix for it with cherry-picking the pull request
changes for the next bullseye point release?
Regards,
Salvatore
https://github.com/py-pdf/PyPDF2/issues/329
https://github.com/py-pdf/PyPDF2/pull/740
https://github.com/py-pdf/pypdf/security/advisories/GHSA-xcjx-m2pj-8g79
It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
Can you propose a fix for it with cherry-picking the pull request
changes for the next bullseye point release?
Regards,
Salvatore
László Böszörményi
Jan 16, 2023, 1:50:04 AM1/16/23
to
Hi Daniel,
On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > whether the version in bullseye is still vulnerable, as it appears to be
> > according to the security tracker:
[...]
the max impact is an infinite loop in the user's own process.
> Can you propose a fix for it with cherry-picking the pull request
> changes for the next bullseye point release?
Correct, it needs to go via Bullseye point update. I attached the
short change which has the original commit as Salvatore noted.
Sorry for the noise,
Laszlo/GCS
On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > whether the version in bullseye is still vulnerable, as it appears to be
> > according to the security tracker:
> It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
the max impact is an infinite loop in the user's own process.
> Can you propose a fix for it with cherry-picking the pull request
> changes for the next bullseye point release?
short change which has the original commit as Salvatore noted.
Sorry for the noise,
Laszlo/GCS
Andreas Beckmann
Jun 8, 2023, 12:10:05 PM6/8/23
to
Hi Markus,
you took care of fixing this bug in stretch-lts. Can you look into
fixing this in buster-lts, too? Right now buster(-lts) has a lower
version than stretch-lts.
pypdf2 | 1.26.0-2 | stretch | source
pypdf2 | 1.26.0-2 | buster | source
pypdf2 | 1.26.0-2+deb9u1 | stretch-security | source
pypdf2 | 1.26.0-4 | bullseye | source
(for bullseye there is pu request #1029008)
Andreas
you took care of fixing this bug in stretch-lts. Can you look into
fixing this in buster-lts, too? Right now buster(-lts) has a lower
version than stretch-lts.
pypdf2 | 1.26.0-2 | stretch | source
pypdf2 | 1.26.0-2 | buster | source
pypdf2 | 1.26.0-2+deb9u1 | stretch-security | source
pypdf2 | 1.26.0-4 | bullseye | source
(for bullseye there is pu request #1029008)
Andreas
Markus Koschany
Jun 8, 2023, 5:31:24 PM6/8/23
to
Hi Andreas,
Am Donnerstag, dem 08.06.2023 um 18:05 +0200 schrieb Andreas Beckmann:
> Hi Markus,
>
> you took care of fixing this bug in stretch-lts. Can you look into
> fixing this in buster-lts, too? Right now buster(-lts) has a lower
> version than stretch-lts.
Thanks! I'll take care of that soon.
Markus
Am Donnerstag, dem 08.06.2023 um 18:05 +0200 schrieb Andreas Beckmann:
> Hi Markus,
>
> you took care of fixing this bug in stretch-lts. Can you look into
> fixing this in buster-lts, too? Right now buster(-lts) has a lower
> version than stretch-lts.
Markus
Jonathan Wiltshire
Jul 25, 2023, 5:40:04 PM7/25/23
to
Control: tag -1 confirmed
Hi,
Either of the proposed diffs is fine; please go ahead.
Thanks,
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Hi,
Thanks,
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Jonathan Wiltshire
Oct 8, 2023, 8:10:05 AM10/8/23
to
On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote:
> On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > > whether the version in bullseye is still vulnerable, as it appears to be
> > > > according to the security tracker:
> > [...]
> > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> > the max impact is an infinite loop in the user's own process.
> >
> > > Can you propose a fix for it with cherry-picking the pull request
> > > changes for the next bullseye point release?
> > Correct, it needs to go via Bullseye point update. I attached the
> > short change which has the original commit as Salvatore noted.
>
> Either of the proposed diffs is fine; please go ahead.
This request was approved but not uploaded in time for the previous point
> On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > > whether the version in bullseye is still vulnerable, as it appears to be
> > > > according to the security tracker:
> > [...]
> > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> > the max impact is an infinite loop in the user's own process.
> >
> > > Can you propose a fix for it with cherry-picking the pull request
> > > changes for the next bullseye point release?
> > Correct, it needs to go via Bullseye point update. I attached the
> > short change which has the original commit as Salvatore noted.
>
> Either of the proposed diffs is fine; please go ahead.
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?
Jonathan Wiltshire
Feb 6, 2024, 1:00:06 PM2/6/24
to
Control: close -1
Hi,
On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote:
releases now, so I am closing the request.
Hi,
On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
>
> Hi,
>
> On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > > whether the version in bullseye is still vulnerable, as it appears to be
> > > > according to the security tracker:
> > [...]
> > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> > the max impact is an infinite loop in the user's own process.
> >
> > > Can you propose a fix for it with cherry-picking the pull request
> > > changes for the next bullseye point release?
> > Correct, it needs to go via Bullseye point update. I attached the
> > short change which has the original commit as Salvatore noted.
>
> Either of the proposed diffs is fine; please go ahead.
This package has not been uploaded in time for two consecutive point
>
> Hi,
>
> On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > > whether the version in bullseye is still vulnerable, as it appears to be
> > > > according to the security tracker:
> > [...]
> > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> > the max impact is an infinite loop in the user's own process.
> >
> > > Can you propose a fix for it with cherry-picking the pull request
> > > changes for the next bullseye point release?
> > Correct, it needs to go via Bullseye point update. I attached the
> > short change which has the original commit as Salvatore noted.
>
> Either of the proposed diffs is fine; please go ahead.
releases now, so I am closing the request.
0 new messages