Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] This upload adds a patch to address CVE-2023-36464. It was assessed by the security team as no-dsa, so I think we ought to fix it in a stable update. [ Impact ] Users remain vulnerable to the DoS attack described in the CVE. [ Tests ] There is a pypdf test suite that runs during package build and autopkgtest. Upstream did add a test for this issue, but since it requires test assets not available in Debian, I did not include it in the patch. [ Risks ] Code is trivial and the risk of regression is negligible. This is the exact fix upstream used. The fix has been in the wild for 8 months, so I think if it was going to cause a problem, we'd know by now. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Added the upstream change to fix the CVE (only the change to pypdf/generic/_data_structures.py is relevant): https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932 Updated gbp.conf to point at the bookworm branch [ Other info ] This will look like an NMU in tools that look at stable. I just adopted the package due to the original maintainer's RFA and have uploaded to unstable (including this fix). I elected not to change the maintainer in this upload since that didn't fit with a minimal change in stable. Scott K
diff -Nru pypdf-3.4.1/debian/changelog pypdf-3.4.1/debian/changelog --- pypdf-3.4.1/debian/changelog 2023-02-14 16:58:00.000000000 -0500 +++ pypdf-3.4.1/debian/changelog 2024-01-15 11:28:43.000000000 -0500 @@ -1,3 +1,13 @@ +pypdf (3.4.1-1+deb12u1) bookworm; urgency=medium + + * Update debian/gbp.conf to point at bookworm branch + * Prevent infinite loop when no character follows after a comment (Closes: + #1040338) + - Addresses CVE-2023-36464 + - Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch + + -- Scott Kitterman <sc...@kitterman.com> Mon, 15 Jan 2024 11:28:43 -0500 + pypdf (3.4.1-1) unstable; urgency=medium * New upstream version 3.4.1 diff -Nru pypdf-3.4.1/debian/gbp.conf pypdf-3.4.1/debian/gbp.conf --- pypdf-3.4.1/debian/gbp.conf 2023-02-14 16:58:00.000000000 -0500 +++ pypdf-3.4.1/debian/gbp.conf 2024-01-15 11:28:20.000000000 -0500 @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch = debian/unstable +debian-branch = debian/bookworm pristine-tar = True diff -Nru pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch --- pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch 1969-12-31 19:00:00.000000000 -0500 +++ pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch 2024-01-15 11:28:43.000000000 -0500 @@ -0,0 +1,21 @@ +From: Scott Kitterman <sc...@kitterman.com> +Date: Mon, 15 Jan 2024 11:34:11 -0500 +Subject: Prevent infinite loop when no character follows after a comment +https://security-tracker.debian.org/tracker/CVE-2023-36464 +--- + pypdf/generic/_data_structures.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pypdf/generic/_data_structures.py b/pypdf/generic/_data_structures.py +index bb2e028..524d4e0 100644 +--- a/pypdf/generic/_data_structures.py ++++ b/pypdf/generic/_data_structures.py +@@ -979,7 +979,7 @@ class ContentStream(DecodedStreamObject): + # encountering a comment -- but read_object assumes that + # following the comment must be the object we're trying to + # read. In this case, it could be an operator instead. +- while peek not in (b"\r", b"\n"): ++ while peek not in (b"\r", b"\n", b""): + peek = stream.read(1) + else: + operands.append(read_object(stream, None, self.forced_encoding)) diff -Nru pypdf-3.4.1/debian/patches/series pypdf-3.4.1/debian/patches/series --- pypdf-3.4.1/debian/patches/series 2023-02-14 16:58:00.000000000 -0500 +++ pypdf-3.4.1/debian/patches/series 2024-01-15 11:28:43.000000000 -0500 @@ -1,2 +1,3 @@ 0001-Use-formal-Cryptodome-namespace.patch 0002-mark-new-external-tests-appropriately.patch +0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
