Hi Daniel, On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote: > Hi László and debian security team-- > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out > whether the version in bullseye is still vulnerable, as it appears to be > according to the security tracker: > > https://security-tracker.debian.org/tracker/CVE-2022-24859 > > It's not clear to me whether > debian/patches/Prevent_infinite_loop_in_readObject.patch is intended to > fix the same bug or not (it's certainly similar-sounding, but it is in > an entirely different part of the codebase than i think is relevant). > If it's not the same, maybe we need the patch that is currently applied > to debian LTS. > > If the latter is needed, the attached debdiff should solve the problem > in bullseye. I've also pushed a branch "debian/pypdf2/bullseye" in > https://salsa.debian.org/debian/pypdf with the same information, in line > with the collaborative workspace that László and i set up for handling > PyPDF2 and its transition to pypdf. > > Please let me know whether this is something that should be uploaded. > > If it's not needed, then presumably we should update the security > tracker to acknowledge that the version in bullseye is already fixed.
The fix for CVE-2022-24859 can be found via https://github.com/py-pdf/PyPDF2/issues/329 https://github.com/py-pdf/PyPDF2/pull/740 https://github.com/py-pdf/pypdf/security/advisories/GHSA-xcjx-m2pj-8g79 It is still unfixed in bullseye TTBOMK, but would not warrant a DSA. Can you propose a fix for it with cherry-picking the pull request changes for the next bullseye point release? Regards, Salvatore
