Hi Daniel,
On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > whether the version in bullseye is still vulnerable, as it appears to be
> > according to the security tracker:
[...]
> It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
the max impact is an infinite loop in the user's own process.
> Can you propose a fix for it with cherry-picking the pull request
> changes for the next bullseye point release?
Correct, it needs to go via Bullseye point update. I attached the
short change which has the original commit as Salvatore noted.
Sorry for the noise,
Laszlo/GCS
diff -Nru pypdf2-1.26.0/debian/changelog pypdf2-1.26.0/debian/changelog
--- pypdf2-1.26.0/debian/changelog 2020-01-19 09:08:58.000000000 +0100
+++ pypdf2-1.26.0/debian/changelog 2023-01-16 07:22:11.000000000 +0100
@@ -1,3 +1,10 @@
+pypdf2 (1.26.0-4+deb11u1) bullseye; urgency=high
+
+ * Backport fix for CVE-2022-24859: manipulated inline images can cause
+ infinite loop (closes: #1009879).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Mon, 16 Jan 2023 07:22:11 +0100
+
pypdf2 (1.26.0-4) unstable; urgency=medium
* Remove Python 2 from build dependencies (closes: #937505).
diff -Nru pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch
--- pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 1970-01-01 01:00:00.000000000 +0100
+++ pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 2023-01-16 00:10:42.000000000 +0100
@@ -0,0 +1,64 @@
+From d71fb3e6249a07682e8ebc456e26499923ff9031 Mon Sep 17 00:00:00 2001
+From: Sebastian Krause <sebast...@realpath.org>
+Date: Fri, 15 Apr 2022 13:55:29 +0200
+Subject: [PATCH] SEC/PERF: ContentStream_readInlineImage (#740)
+
+Closes #329 - potential infinite loop (SEC)
+Closes #330 - performance issue of ContentStream._readInlineImage (PERF)
+---
+ PyPDF2/pdf.py | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/PyPDF2/pdf.py b/PyPDF2/pdf.py
+index 5bd4b7968..6d1824384 100644
+--- a/PyPDF2/pdf.py
++++ b/PyPDF2/pdf.py
+@@ -2723,11 +2723,25 @@ def _readInlineImage(self, stream):
+ # left at beginning of ID
+ tmp = stream.read(3)
+ assert tmp[:2] == b_("ID")
+- data = b_("")
++ data = BytesIO()
++ # Read the inline image, while checking for EI (End Image) operator.
+ while True:
+- # Read the inline image, while checking for EI (End Image) operator.
+- tok = stream.read(1)
+- if tok == b_("E"):
++ # Read 8 kB at a time and check if the chunk contains the E operator.
++ buf = stream.read(8192)
++ # We have reached the end of the stream, but haven't found the EI operator.
++ if not buf:
++ raise utils.PdfReadError("Unexpected end of stream")
++ loc = buf.find(b_("E"))
++
++ if loc == -1:
++ data.write(buf)
++ else:
++ # Write out everything before the E.
++ data.write(buf[0:loc])
++
++ # Seek back in the stream to read the E next.
++ stream.seek(loc - len(buf), 1)
++ tok = stream.read(1)
+ # Check for End Image
+ tok2 = stream.read(1)
+ if tok2 == b_("I"):
+@@ -2744,14 +2758,12 @@ def _readInlineImage(self, stream):
+ stream.seek(-1, 1)
+ break
+ else:
+- stream.seek(-1,1)
+- data += info
++ stream.seek(-1, 1)
++ data.write(info)
+ else:
+ stream.seek(-1, 1)
+- data += tok
+- else:
+- data += tok
+- return {"settings": settings, "data": data}
++ data.write(tok)
++ return {"settings": settings, "data": data.getvalue()}
+
+ def _getData(self):
+ newdata = BytesIO()
diff -Nru pypdf2-1.26.0/debian/patches/series pypdf2-1.26.0/debian/patches/series
--- pypdf2-1.26.0/debian/patches/series 2016-09-05 19:14:14.000000000 +0200
+++ pypdf2-1.26.0/debian/patches/series 2023-01-16 00:13:06.000000000 +0100
@@ -1 +1,2 @@
Prevent_infinite_loop_in_readObject.patch
+CVE-2022-24859.patch
