Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-PyPDF2 for openSUSE:Factory checked in at 2026-03-22 14:11:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-PyPDF2 (Old) and /work/SRC/openSUSE:Factory/.python-PyPDF2.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-PyPDF2" Sun Mar 22 14:11:49 2026 rev:17 rq:1341574 version:2.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-PyPDF2/python-PyPDF2.changes 2026-03-12 22:27:19.862777928 +0100 +++ /work/SRC/openSUSE:Factory/.python-PyPDF2.new.8177/python-PyPDF2.changes 2026-03-22 14:12:43.150708173 +0100 @@ -1,0 +2,7 @@ +Fri Mar 20 15:53:50 UTC 2026 - Markéta Machová <[email protected]> + +- CVE-2026-33123: excessive resource consumption when processing specially + crafted PDF due to inefficient decoding of array-based streams (bsc#1259992) + * CVE-2026-33123.patch + +------------------------------------------------------------------- New: ---- CVE-2026-33123.patch ----------(New B)---------- New: crafted PDF due to inefficient decoding of array-based streams (bsc#1259992) * CVE-2026-33123.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-PyPDF2.spec ++++++ --- /var/tmp/diff_new_pack.FjzViN/_old 2026-03-22 14:12:43.866737617 +0100 +++ /var/tmp/diff_new_pack.FjzViN/_new 2026-03-22 14:12:43.866737617 +0100 @@ -41,6 +41,8 @@ Patch6: CVE-2026-28804.patch # PATCH-FIX-UPSTREAM CVE-2026-31826.patch bsc#1259508 Patch7: CVE-2026-31826.patch +# PATCH-FIX-UPSTREAM CVE-2026-33123.patch bsc#1259992 +Patch8: CVE-2026-33123.patch BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} ++++++ CVE-2026-33123.patch ++++++ >From 0b5d05de59a055c132b435ee2375bc32ff04d48e Mon Sep 17 00:00:00 2001 From: Stefan <[email protected]> Date: Tue, 17 Mar 2026 11:38:28 +0100 Subject: [PATCH] SEC: Improve performance and limit length of array-based content streams (#3686) --- docs/user/security.md | 3 ++ PyPDF2/filters.py | 1 + PyPDF2/generic/_data_structures.py | 23 ++++++++++++-- tests/generic/test_data_structures.py | 43 +++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 2 deletions(-) Index: pypdf-2.11.1/PyPDF2/filters.py =================================================================== --- pypdf-2.11.1.orig/PyPDF2/filters.py +++ pypdf-2.11.1/PyPDF2/filters.py @@ -63,6 +63,7 @@ from .errors import LimitReachedError, P ZLIB_MAX_RECOVERY_INPUT_LENGTH = 5_000_000 MAX_DECLARED_STREAM_LENGTH = 75_000_000 +MAX_ARRAY_BASED_STREAM_OUTPUT_LENGTH = 75_000_000 # Reuse cached 1-byte values in the fallback loop to avoid per-byte allocations. _SINGLE_BYTES = tuple(bytes((i,)) for i in range(256)) Index: pypdf-2.11.1/PyPDF2/generic/_data_structures.py =================================================================== --- pypdf-2.11.1.orig/PyPDF2/generic/_data_structures.py +++ pypdf-2.11.1/PyPDF2/generic/_data_structures.py @@ -684,6 +684,9 @@ class EncodedStreamObject(StreamObject): return self.set_data(data) +CONTENT_STREAM_ARRAY_MAX_LENGTH = 10_000 + + class ContentStream(DecodedStreamObject): def __init__( self, @@ -702,10 +705,27 @@ class ContentStream(DecodedStreamObject) # multiple StreamObjects to be cat'd together. stream = stream.get_object() if isinstance(stream, ArrayObject): - data = b"" + from PyPDF2.filters import MAX_ARRAY_BASED_STREAM_OUTPUT_LENGTH # noqa: PLC0415 + + if (stream_length := len(stream)) > CONTENT_STREAM_ARRAY_MAX_LENGTH: + raise LimitReachedError( + f"Array-based stream has {stream_length} > {CONTENT_STREAM_ARRAY_MAX_LENGTH} elements." + ) + data = bytearray() + length = 0 + for s in stream: - data += b_(s.get_object().get_data()) + new_data = b_(s.get_object().get_data()) + length += len(new_data) + if length > MAX_ARRAY_BASED_STREAM_OUTPUT_LENGTH: + raise LimitReachedError( + f"Array-based stream has at least {length} > " + f"{MAX_ARRAY_BASED_STREAM_OUTPUT_LENGTH} output bytes." + ) + data += new_data if len(data) == 0 or data[-1] != b"\n": + # There should be no direct need to check for a change of one byte. + length += 1 data += b"\n" stream_bytes = BytesIO(data) else:
