Bug#836787: jessie-pu: package pypdf2/1.23+git20141008-1+deb8u1

2016-09-05 Thread Adam D. Barratt 
Control: tags -1 + pending

On Mon, 2016-09-05 at 19:59 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2016-09-05 at 20:06 +0200, Laszlo Boszormenyi (GCS) wrote:
> > A PyPDF2 user found a DoS, an infinite loop[1]. It has a reproducer
> > even. This affects Jessie as well (the Sid update is just uploaded).
> > Upstream fix is simple[2] and the Security Team noted this as no-dsa,
> > but can be updated via a Jessie PU.
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#836787: jessie-pu: package pypdf2/1.23+git20141008-1+deb8u1

2016-09-05 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2016-09-05 at 20:06 +0200, Laszlo Boszormenyi (GCS) wrote:
> A PyPDF2 user found a DoS, an infinite loop[1]. It has a reproducer
> even. This affects Jessie as well (the Sid update is just uploaded).
> Upstream fix is simple[2] and the Security Team noted this as no-dsa,
> but can be updated via a Jessie PU.

Please go ahead.

Regards,

Adam

Bug#836787: jessie-pu: package pypdf2/1.23+git20141008-1+deb8u1

2016-09-05 Thread Laszlo Boszormenyi (GCS) 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi Release Team,

A PyPDF2 user found a DoS, an infinite loop[1]. It has a reproducer
even. This affects Jessie as well (the Sid update is just uploaded).
Upstream fix is simple[2] and the Security Team noted this as no-dsa,
but can be updated via a Jessie PU.

Proposed patch is attached.

Thanks for considering,
Laszlo/GCS
[1] https://github.com/mstamy2/PyPDF2/issues/184
[2] 
https://github.com/mstamy2/PyPDF2/commit/4fc7f9d14adb2a9b890aea2616955ec54229f48cdiff -Nru pypdf2-1.23+git20141008/debian/changelog pypdf2-1.23+git20141008/debian/changelog
--- pypdf2-1.23+git20141008/debian/changelog	2014-10-25 21:00:12.0 +
+++ pypdf2-1.23+git20141008/debian/changelog	2016-09-05 17:50:32.0 +
@@ -1,3 +1,10 @@
+pypdf2 (1.23+git20141008-1+deb8u1) jessie; urgency=medium
+
+  * Backport fix 'prevent infinite loop in readObject() function' to prevent
+DoS from upstream Git tree.
+
+ -- Laszlo Boszormenyi (GCS)   Mon, 05 Sep 2016 17:46:41 +
+
 pypdf2 (1.23+git20141008-1) unstable; urgency=low
 
   * Upstream snapshot with various bug fixes.
diff -Nru pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch
--- pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch	1970-01-01 00:00:00.0 +
+++ pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch	2016-09-05 17:49:22.0 +
@@ -0,0 +1,25 @@
+From 48193975e5a0e48ebbb68217f8533ad2bfbdede2 Mon Sep 17 00:00:00 2001
+From: Henri Salo 
+Date: Tue, 18 Aug 2015 13:42:22 +0300
+Subject: [PATCH] Prevent infinite loop in readObject() function. Patch by
+ dhudson1. Closes mstamy2/PyPDF2#184
+
+---
+ PyPDF2/generic.py | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/PyPDF2/generic.py b/PyPDF2/generic.py
+index df1e028..657612a 100644
+--- a/PyPDF2/generic.py
 b/PyPDF2/generic.py
+@@ -82,6 +82,10 @@ def readObject(stream, pdf):
+ # comment
+ while tok not in (b_('\r'), b_('\n')):
+ tok = stream.read(1)
++# Prevents an infinite loop by raising an error if the stream is at
++# the EOF
++if len(tok) <= 0:
++raise PdfStreamError("File ended unexpectedly.")
+ tok = readNonWhitespace(stream)
+ stream.seek(-1, 1)
+ return readObject(stream, pdf)
diff -Nru pypdf2-1.23+git20141008/debian/patches/series pypdf2-1.23+git20141008/debian/patches/series
--- pypdf2-1.23+git20141008/debian/patches/series	1970-01-01 00:00:00.0 +
+++ pypdf2-1.23+git20141008/debian/patches/series	2016-09-05 17:50:00.0 +
@@ -0,0 +1 @@
+Prevent_infinite_loop_in_readObject.patch