Source: pypdf2
Version: 1.26.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/py-pdf/PyPDF2/issues/329
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for pypdf2.
CVE-2022-24859[0]:
| PyPDF2 is an open source python PDF library capable of splitting,
| merging, cropping, and transforming the pages of PDF files. In
| versions prior to 1.27.5 an attacker who uses this vulnerability can
| craft a PDF which leads to an infinite loop if the PyPDF2 if the code
| attempts to get the content stream. The reason is that the last while-
| loop in `ContentStream._readInlineImage` only terminates when it finds
| the `EI` token, but never actually checks if the stream has already
| ended. This issue has been resolved in version `1.27.5`. Users unable
| to upgrade should validate and PDFs prior to iterating over their
| content stream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859
[1] https://github.com/py-pdf/PyPDF2/issues/329
[2] https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore