Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?

Daniel Kahn Gillmor Mon, 16 Jan 2023 07:15:14 -0800

Control: clone 1009879 -1
Control: reassign -1 release.debian.org
Control: tag -1 + bullseye
Control: user release.debian....@packages.debian.org
Control: usertag -1 pu
Control: affects -1 src:pypdf2
Control: retitle -1 bullseye-pu: package pypdf2/1.26.0-4+deb11u1

On Mon 2023-01-16 07:41:21 +0100, László Böszörményi (GCS) wrote:
>  Correct, it needs to go via Bullseye point update. I attached the
> short change which has the original commit as Salvatore noted.

Thanks for the confirmation, László.  Sounds good to me.

It Looks like i failed to attach the debdiff to my initial e-mail, but I
had intended to offer the same substantive changeset that you
identified.

I'm cloning this bug report to ask for confirmation from the stable
release managers, with a refreshed debdiff.  I've also pushed the
changes into salsa on the debian/pypdf2/bullseye branch.

Release maintainers: if you can confirm this, i'll go ahead with the
upload so that this is fixed in the next point release of bullseye.

Regards,

        --dkg

diff -Nru pypdf2-1.26.0/debian/changelog pypdf2-1.26.0/debian/changelog
--- pypdf2-1.26.0/debian/changelog	2020-01-19 03:08:58.000000000 -0500
+++ pypdf2-1.26.0/debian/changelog	2023-01-15 16:22:04.000000000 -0500
@@ -1,3 +1,15 @@
+pypdf2 (1.26.0-4+deb11u1) bullseye; urgency=high
+
+  * Add myself to uploaders
+  * Point to Salsa for packaging revision control.
+  * Fix CVE-2022-24859:
+    Sebastian Krause discovered that manipulated inline images can force
+    PyPDF2, a pure Python PDF library, into an infinite loop, if a maliciously
+    crafted PDF file is processed.  (Thanks, Markus Koschany <a...@debian.org>)
+    Closes: #1009879
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Sun, 15 Jan 2023 16:22:04 -0500
+
 pypdf2 (1.26.0-4) unstable; urgency=medium
 
   * Remove Python 2 from build dependencies (closes: #937505).
diff -Nru pypdf2-1.26.0/debian/control pypdf2-1.26.0/debian/control
--- pypdf2-1.26.0/debian/control	2020-01-19 03:08:58.000000000 -0500
+++ pypdf2-1.26.0/debian/control	2023-01-15 16:22:04.000000000 -0500
@@ -1,8 +1,11 @@
 Source: pypdf2
 Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
+Uploaders: Daniel Kahn Gillmor <d...@fifthhorseman.net>
 Section: python
 Priority: optional
 Build-Depends: debhelper-compat (= 12), dh-python, python3-all
+Vcs-Git: https://salsa.debian.org/debian/pypdf.git -b debian/pypdf2/bullseye
+Vcs-Browser: https://salsa.debian.org/debian/pypdf
 Standards-Version: 4.4.1
 Homepage: https://pythonhosted.org/PyPDF2/
 
diff -Nru pypdf2-1.26.0/debian/gbp.conf pypdf2-1.26.0/debian/gbp.conf
--- pypdf2-1.26.0/debian/gbp.conf	1969-12-31 19:00:00.000000000 -0500
+++ pypdf2-1.26.0/debian/gbp.conf	2023-01-15 16:22:04.000000000 -0500
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/pypdf2/bullseye
+pristine-tar = True
diff -Nru pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch
--- pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch	1969-12-31 19:00:00.000000000 -0500
+++ pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch	2023-01-15 16:22:04.000000000 -0500
@@ -0,0 +1,65 @@
+From: Sebastian Krause <sebast...@realpath.org>
+Date: Fri, 15 Apr 2022 13:55:29 +0200
+Subject: [PATCH] SEC/PERF: ContentStream_readInlineImage (#740)
+
+Bug-Debian: https://bugs.debian.org/1009879
+Origin: https://github.com/py-pdf/PyPDF2/pull/740
+Closes #329 - potential infinite loop (SEC)
+Closes #330 - performance issue of ContentStream._readInlineImage (PERF)
+---
+ PyPDF2/pdf.py | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/PyPDF2/pdf.py b/PyPDF2/pdf.py
+index 9979414..b55dfba 100644
+--- a/PyPDF2/pdf.py
++++ b/PyPDF2/pdf.py
+@@ -2723,11 +2723,25 @@ class ContentStream(DecodedStreamObject):
+         # left at beginning of ID
+         tmp = stream.read(3)
+         assert tmp[:2] == b_("ID")
+-        data = b_("")
++        data = BytesIO()
++        # Read the inline image, while checking for EI (End Image) operator.
+         while True:
+-            # Read the inline image, while checking for EI (End Image) operator.
+-            tok = stream.read(1)
+-            if tok == b_("E"):
++            # Read 8 kB at a time and check if the chunk contains the E operator.
++            buf = stream.read(8192)
++            # We have reached the end of the stream, but haven't found the EI operator.
++            if not buf:
++                raise utils.PdfReadError("Unexpected end of stream")
++            loc = buf.find(b_("E"))
++
++            if loc == -1:
++                data.write(buf)
++            else:
++                # Write out everything before the E.
++                data.write(buf[0:loc])
++
++                # Seek back in the stream to read the E next.
++                stream.seek(loc - len(buf), 1)
++                tok = stream.read(1)
+                 # Check for End Image
+                 tok2 = stream.read(1)
+                 if tok2 == b_("I"):
+@@ -2744,14 +2758,12 @@ class ContentStream(DecodedStreamObject):
+                         stream.seek(-1, 1)
+                         break
+                     else:
+-                        stream.seek(-1,1)
+-                        data += info
++                        stream.seek(-1, 1)
++                        data.write(info)
+                 else:
+                     stream.seek(-1, 1)
+-                    data += tok
+-            else:
+-                data += tok
+-        return {"settings": settings, "data": data}
++                    data.write(tok)
++        return {"settings": settings, "data": data.getvalue()}
+ 
+     def _getData(self):
+         newdata = BytesIO()
diff -Nru pypdf2-1.26.0/debian/patches/Prevent_infinite_loop_in_readObject.patch pypdf2-1.26.0/debian/patches/Prevent_infinite_loop_in_readObject.patch
--- pypdf2-1.26.0/debian/patches/Prevent_infinite_loop_in_readObject.patch	2020-01-19 03:08:58.000000000 -0500
+++ pypdf2-1.26.0/debian/patches/Prevent_infinite_loop_in_readObject.patch	2023-01-15 16:22:04.000000000 -0500
@@ -1,4 +1,3 @@
-From 48193975e5a0e48ebbb68217f8533ad2bfbdede2 Mon Sep 17 00:00:00 2001
 From: Henri Salo <henri.s...@nixu.com>
 Date: Tue, 18 Aug 2015 13:42:22 +0300
 Subject: [PATCH] Prevent infinite loop in readObject() function. Patch by
@@ -9,7 +8,7 @@
  1 file changed, 4 insertions(+)
 
 diff --git a/PyPDF2/generic.py b/PyPDF2/generic.py
-index df1e028..657612a 100644
+index c433229..1c34f7c 100644
 --- a/PyPDF2/generic.py
 +++ b/PyPDF2/generic.py
 @@ -82,6 +82,10 @@ def readObject(stream, pdf):
diff -Nru pypdf2-1.26.0/debian/patches/series pypdf2-1.26.0/debian/patches/series
--- pypdf2-1.26.0/debian/patches/series	2020-01-19 03:08:58.000000000 -0500
+++ pypdf2-1.26.0/debian/patches/series	2023-01-15 16:22:04.000000000 -0500
@@ -1 +1,2 @@
 Prevent_infinite_loop_in_readObject.patch
+CVE-2022-24859.patch

signature.asc
Description: PGP signature

Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?

Reply via email to