Source: pypdf Version: 6.9.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for pypdf. CVE-2026-59935[0]: | pypdf is a free and open-source pure-python PDF library. Prior to | 6.14.2, an attacker can craft a PDF with a page content stream | containing a not terminated inline image that uses the ASCII85 or | ASCIIHex filters, causing an infinite loop during parsing such as | when extracting page text. This issue is fixed in version 6.14.2. CVE-2026-59936[1]: | pypdf is a free and open-source pure-python PDF library. Prior to | 6.14.1, an attacker can craft a PDF with a page content stream | containing a not terminated inline image, causing an infinite loop | during inline image end marker detection such as when extracting | page text. This issue is fixed in version 6.14.1. CVE-2026-59937[2]: | pypdf is a free and open-source pure-python PDF library. Prior to | 6.14.0, an attacker can craft a PDF with repeated malformed cross- | reference streams that cause pypdf to spend long runtimes recovering | broken cross-reference table entries. This issue is fixed in version | 6.14.0. CVE-2026-59938[3]: | pypdf is a free and open-source pure-python PDF library. Prior to | 6.14.0, an attacker can craft a PDF with declared image size values | that are much too large compared to the actual data, causing large | memory usage in pypdf image parsing. This issue is fixed in version | 6.14.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-59935 https://www.cve.org/CVERecord?id=CVE-2026-59935 [1] https://security-tracker.debian.org/tracker/CVE-2026-59936 https://www.cve.org/CVERecord?id=CVE-2026-59936 [2] https://security-tracker.debian.org/tracker/CVE-2026-59937 https://www.cve.org/CVERecord?id=CVE-2026-59937 [3] https://security-tracker.debian.org/tracker/CVE-2026-59938 https://www.cve.org/CVERecord?id=CVE-2026-59938 Regards, Salvatore

