Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] CVE fix. [ Impact ] Users still vulernable to security issue. [ Tests ] Upstream has an extensive test suite, although we don't include a test specifically for this issue. All tests pass on bookworm locally. [ Risks ] Risk is negligible. Code is trivial. Fix has been available for 8 months upstream. The same code is in pypdf and there have been no issues reported with it (stable update for it is pending as well). [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add a patch to apply the upstream fix for the issue. [ Other info ] This looks like an NMU in bookworm, but I just adopted the package. I did not include the maintainer changes in the stble-update since that seemed to get beyone a minimal fix. Scott K
diff -Nru pypdf2-2.12.1/debian/changelog pypdf2-2.12.1/debian/changelog --- pypdf2-2.12.1/debian/changelog 2023-01-13 16:38:55.000000000 -0500 +++ pypdf2-2.12.1/debian/changelog 2024-01-19 17:32:34.000000000 -0500 @@ -1,3 +1,12 @@ +pypdf2 (2.12.1-3+deb12u1) bookworm; urgency=medium + + * Prevent infinite loop when no character follows after a comment (Closes: + #1040339) + - Addresses CVE-2023-36464 + - Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch + + -- Scott Kitterman <sc...@kitterman.com> Fri, 19 Jan 2024 17:32:34 -0500 + pypdf2 (2.12.1-3) unstable; urgency=medium * disable two more network tests diff -Nru pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch --- pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch 1969-12-31 19:00:00.000000000 -0500 +++ pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch 2024-01-19 17:30:16.000000000 -0500 @@ -0,0 +1,21 @@ +From: Scott Kitterman <sc...@kitterman.com> +Date: Mon, 15 Jan 2024 11:34:11 -0500 +Subject: Prevent infinite loop when no character follows after a comment +https://security-tracker.debian.org/tracker/CVE-2023-36464 +--- + PyPDF2/generic/_data_structures.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: pypdf/PyPDF2/generic/_data_structures.py +=================================================================== +--- pypdf.orig/PyPDF2/generic/_data_structures.py ++++ pypdf/PyPDF2/generic/_data_structures.py +@@ -733,7 +733,7 @@ class ContentStream(DecodedStreamObject) + # encountering a comment -- but read_object assumes that + # following the comment must be the object we're trying to + # read. In this case, it could be an operator instead. +- while peek not in (b"\r", b"\n"): ++ while peek not in (b"\r", b"\n", b""): + peek = stream.read(1) + else: + operands.append(read_object(stream, None, self.forced_encoding)) diff -Nru pypdf2-2.12.1/debian/patches/series pypdf2-2.12.1/debian/patches/series --- pypdf2-2.12.1/debian/patches/series 2023-01-13 16:38:30.000000000 -0500 +++ pypdf2-2.12.1/debian/patches/series 2024-01-19 17:30:16.000000000 -0500 @@ -1 +1,2 @@ disable-network-tests.patch +0003-Prevent-infinite-loop-when-no-character-follows-afte.patch