Control: tag -1 confirmed Hi,
On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote: > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> > wrote: > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > > > whether the version in bullseye is still vulnerable, as it appears to be > > > according to the security tracker: > [...] > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as > the max impact is an infinite loop in the user's own process. > > > Can you propose a fix for it with cherry-picking the pull request > > changes for the next bullseye point release? > Correct, it needs to go via Bullseye point update. I attached the > short change which has the original commit as Salvatore noted. Either of the proposed diffs is fine; please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1