Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-PyPDF2 for openSUSE:Factory checked in at 2026-04-20 16:13:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-PyPDF2 (Old) and /work/SRC/openSUSE:Factory/.python-PyPDF2.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-PyPDF2" Mon Apr 20 16:13:13 2026 rev:18 rq:1348154 version:2.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-PyPDF2/python-PyPDF2.changes 2026-03-22 14:12:43.150708173 +0100 +++ /work/SRC/openSUSE:Factory/.python-PyPDF2.new.11940/python-PyPDF2.changes 2026-04-20 16:13:21.722279264 +0200 @@ -1,0 +2,6 @@ +Mon Apr 20 08:41:42 UTC 2026 - Daniel Garcia <[email protected]> + +- CVE-2026-40260: crafted PDF can lead to large memory usage (bsc#1262284) + Add security patch: CVE-2026-40260.patch + +------------------------------------------------------------------- New: ---- CVE-2026-40260.patch ----------(New B)---------- New:- CVE-2026-40260: crafted PDF can lead to large memory usage (bsc#1262284) Add security patch: CVE-2026-40260.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-PyPDF2.spec ++++++ --- /var/tmp/diff_new_pack.436992/_old 2026-04-20 16:13:22.418308329 +0200 +++ /var/tmp/diff_new_pack.436992/_new 2026-04-20 16:13:22.426308663 +0200 @@ -43,6 +43,8 @@ Patch7: CVE-2026-31826.patch # PATCH-FIX-UPSTREAM CVE-2026-33123.patch bsc#1259992 Patch8: CVE-2026-33123.patch +# PATCH-FIX-UPSTREAM CVE-2026-40260.patch bsc#1262284 +Patch9: CVE-2026-40260.patch BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} ++++++ CVE-2026-40260.patch ++++++ Index: pypdf-2.11.1/PyPDF2/xmp.py =================================================================== --- pypdf-2.11.1.orig/PyPDF2/xmp.py +++ pypdf-2.11.1/PyPDF2/xmp.py @@ -20,8 +20,8 @@ from typing import ( ) from xml.dom.minidom import Document from xml.dom.minidom import Element as XmlElement -from xml.dom.minidom import parseString -from xml.parsers.expat import ExpatError +from xml.dom.expatbuilder import ExpatBuilderNS +from xml.parsers.expat import ExpatError, XMLParserType from ._utils import StreamType, deprecate_with_replacement from .errors import PdfReadError @@ -204,6 +204,34 @@ def _getter_single( return get +class _XmpBuilder(ExpatBuilderNS): + """ + Custom XML parser denying all entity declarations. + + This is a stripped down and typed version inspired by what *defusedxml* does. + + Why do we need this? The default limits of *libexpat* used by Python only block exponential entity expansion, + but not cases like quadratic entity expansion which can still cause quite some memory usage. + """ + + def custom_entity_declaration_handler( + self, + entity_name: str, + is_parameter_entity: bool, + value: Optional[str], + base: Optional[str], + system_id: str, + public_id: Optional[str], + notation_name: Optional[str], + ) -> None: + raise ExpatError(f"Forbidden entities: {entity_name!r}") + + def install(self, parser: XMLParserType) -> None: + super().install(parser) + + parser.EntityDeclHandler = self.custom_entity_declaration_handler + + class XmpInformation(PdfObject): """ An object that represents Adobe XMP metadata. @@ -216,7 +244,7 @@ class XmpInformation(PdfObject): self.stream = stream try: data = self.stream.get_data() - doc_root: Document = parseString(data) + doc_root: Document = _XmpBuilder().parseString(data) except ExpatError as e: raise PdfReadError(f"XML in XmpInformation was invalid: {e}") self.rdf_root: XmlElement = doc_root.getElementsByTagNameNS(
