Hi László and debian security team-- I was looking into CVE-2022-24859 and pypdf2, and trying to figure out whether the version in bullseye is still vulnerable, as it appears to be according to the security tracker:
https://security-tracker.debian.org/tracker/CVE-2022-24859 It's not clear to me whether debian/patches/Prevent_infinite_loop_in_readObject.patch is intended to fix the same bug or not (it's certainly similar-sounding, but it is in an entirely different part of the codebase than i think is relevant). If it's not the same, maybe we need the patch that is currently applied to debian LTS. If the latter is needed, the attached debdiff should solve the problem in bullseye. I've also pushed a branch "debian/pypdf2/bullseye" in https://salsa.debian.org/debian/pypdf with the same information, in line with the collaborative workspace that László and i set up for handling PyPDF2 and its transition to pypdf. Please let me know whether this is something that should be uploaded. If it's not needed, then presumably we should update the security tracker to acknowledge that the version in bullseye is already fixed. --dkg
signature.asc
Description: PGP signature
